Consider replacing the bundle with DSSE + ext/VerificationMaterial #678
Description
DSSE has been updated to support signature extensions, which was not the case when we started the work on the bundle. This now allows us to put the verification material as an extension to the signature, instead of layering the envelope in a bundle. This with the combination of dropping DSSE support from Rekor, can improve our situation, and open up for an easier PQC adoption. Consider this:
$ wc -c tmp-att.json
9943 tmp-att.json
$ jq . tmp-att.json
{
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"verificationMaterial": {
"certificate": {
"rawBytes": "MIIG..."
},
"tlogEntries": [
{
"logIndex": "97913944",
"logId": {
"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
},
"kindVersion": {
"kind": "dsse",
"version": "0.0.1"
},
"integratedTime": "1716998987",
"inclusionPromise": {
"signedEntryTimestamp": "MEUC..."
},
"inclusionProof": {
"logIndex": "93750513",
"rootHash": "gMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=",
"treeSize": "93750515",
"hashes": [
"uCO3hICjSShYg1eSenlwTjKq+JLB3ZCyAlvjnh/3yKE=",
"8KDdwXCQI9jhS7ufVuC2BRnD9yXb5Sfb+aLH8+BuSiQ=",
"JruHw9VeLnhrdEVV5mkJr8r+nZ1xqiAydH5iDPVP5fs=",
"GqhYL9+znswADy/JjZXofHxLmeE37Jx2HLJRGYjKeAA=",
"L7xfPpL8AE9ijsQTZeSX7QcbyCPHSxS7ch8Rc4JJVhQ=",
"DZjlMkk1MuzKvAUiWk9KMj9eQjzPpj5GHG9I2Vp+yaU=",
"Tgve40VPFfuei+0nhupdGpfPPR+hPpZjxgTiDT8WNoY=",
"wV+S/7tLtYGzkLaSb6UDqexNyhMvumHK/RpTNvEZuLU=",
"uwaWufty6sn6XqO1Tb9M3Vz6sBKPu0HT36mStxJNd7s=",
"jUfeMOXQP0XF1JAnCEETVbfRKMUwCzrVUzYi8vnDMVs=",
"xQKjzJAwwdlQG/YUYBKPXxbCmhMYKo1wnv+6vDuKWhQ=",
"cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=",
"sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=",
"98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="
],
"checkpoint": {
"envelope": "rekor.sigstore.dev - 2605736670972794746\n93750515\ngMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=\n\n— rekor.sigstore.dev wNI9ajBFAiEAu9Z/WsClrI/ejoMeXW9QRkDIMr3mXkzSBHDUjw+onw8CIBp9UrmrSf+rl0cM0Xj3zgqChtfMskkeEhgQ7T7nocF1\n"
}
},
"canonicalizedBody": "eyJh..."
}
],
"timestampVerificationData": {}
},
"dsseEnvelope": {
"payload": "eyJf...",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"sig": "MEQCIHiO3LhNrbV0Lz7sazQ8a3okIP3DBi45t5oQAQMUV1l/AiBO+NyF4JglqYKPPk2h2tnUFGi37g0wnGUWU/8ihQlOWQ=="
}
]
}
}Note that for simplicity I have stripped the payload and the canonicalizedBody.
The payload is a simple SLSA build provenance attestation. The canonicalized body is a rekor response:
{
"apiVersion": "0.0.1",
"kind": "dsse",
"spec": {
"envelopeHash": {
"algorithm": "sha256",
"value": "7e81790fdeb9b259b4d8f39ad2f32fef010afc8813400b7351516d03b0d2a415"
},
"payloadHash": {
"algorithm": "sha256",
"value": "f553ffed4c53bcb343358e3835ee3f5185d70f1ba2a96666980aa63e95370ca4"
},
"signatures": [
{
"signature": "MEQCIHiO3LhNrbV0Lz7sazQ8a3okIP3DBi45t5oQAQMUV1l/AiBO+NyF4JglqYKPPk2h2tnUFGi37g0wnGUWU/8ihQlOWQ==",
"verifier": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdqakNDQmhTZ0F3SUJBZ0lVQlBBVmtsRlJ5MUkxOUR4ckwycHBleUFZNXJ3d0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpRd05USTVNVFl3T1RRM1doY05NalF3TlRJNU1UWXhPVFEzV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVZdVJFWjFYMElQOXQ3amlFQ3RPNXhKeFNSdHkrd1BiQkl3TzgKbkhJZHhmWitXZWRnTHh3WnZGdzJYOHA2cE8wQ2VRQ1l2T25PaTZBRnFzbm9aY29GL3FPQ0JUTXdnZ1V2TUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVWNVF5CnhjaXZDNmJSNWNydEEwVHFLUFo4bnNrd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1dnWURWUjBSQVFIL0JGQXdUb1pNYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJOc2FTOWpiR2t2TG1kcApkR2gxWWk5M2IzSnJabXh2ZDNNdlpHVndiRzk1YldWdWRDNTViV3hBY21WbWN5OW9aV0ZrY3k5MGNuVnVhekE1CkJnb3JCZ0VFQVlPL01BRUJCQ3RvZEhSd2N6b3ZMM1J2YTJWdUxtRmpkR2x2Ym5NdVoybDBhSFZpZFhObGNtTnYKYm5SbGJuUXVZMjl0TUI4R0Npc0dBUVFCZzc4d0FRSUVFWGR2Y210bWJHOTNYMlJwYzNCaGRHTm9NRFlHQ2lzRwpBUVFCZzc4d0FRTUVLR1poWldZeVpHUmtPREZpTURjek5qYzBPRFF4TTJFM1l6WTBObU5rTUdKbVl6STJZekF3CllUQXdHQVlLS3dZQkJBR0R2ekFCQkFRS1JHVndiRzk1YldWdWREQVZCZ29yQmdFRUFZTy9NQUVGQkFkamJHa3YKWTJ4cE1CNEdDaXNHQVFRQmc3OHdBUVlFRUhKbFpuTXZhR1ZoWkhNdmRISjFibXN3T3dZS0t3WUJCQUdEdnpBQgpDQVF0REN0b2RIUndjem92TDNSdmEyVnVMbUZqZEdsdmJuTXVaMmwwYUhWaWRYTmxjbU52Ym5SbGJuUXVZMjl0Ck1Gd0dDaXNHQVFRQmc3OHdBUWtFVGd4TWFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyTnNhUzlqYkdrdkxtZHAKZEdoMVlpOTNiM0pyWm14dmQzTXZaR1Z3Ykc5NWJXVnVkQzU1Yld4QWNtVm1jeTlvWldGa2N5OTBjblZ1YXpBNApCZ29yQmdFRUFZTy9NQUVLQkNvTUtHWmhaV1l5WkdSa09ERmlNRGN6TmpjME9EUXhNMkUzWXpZME5tTmtNR0ptCll6STJZekF3WVRBd0hRWUtLd1lCQkFHRHZ6QUJDd1FQREExbmFYUm9kV0l0YUc5emRHVmtNQ29HQ2lzR0FRUUIKZzc4d0FRd0VIQXdhYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJOc2FTOWpiR2t3T0FZS0t3WUJCQUdEdnpBQgpEUVFxRENobVlXVm1NbVJrWkRneFlqQTNNelkzTkRnME1UTmhOMk0yTkRaalpEQmlabU15Tm1Nd01HRXdNQ0FHCkNpc0dBUVFCZzc4d0FRNEVFZ3dRY21WbWN5OW9aV0ZrY3k5MGNuVnVhekFaQmdvckJnRUVBWU8vTUFFUEJBc00KQ1RJeE1qWXhNekEwT1RBbUJnb3JCZ0VFQVlPL01BRVFCQmdNRm1oMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5agpiR2t3R0FZS0t3WUJCQUdEdnpBQkVRUUtEQWcxT1Rjd05EY3hNVEJjQmdvckJnRUVBWU8vTUFFU0JFNE1UR2gwCmRIQnpPaTh2WjJsMGFIVmlMbU52YlM5amJHa3ZZMnhwTHk1bmFYUm9kV0l2ZDI5eWEyWnNiM2R6TDJSbGNHeHYKZVcxbGJuUXVlVzFzUUhKbFpuTXZhR1ZoWkhNdmRISjFibXN3T0FZS0t3WUJCQUdEdnpBQkV3UXFEQ2htWVdWbQpNbVJrWkRneFlqQTNNelkzTkRnME1UTmhOMk0yTkRaalpEQmlabU15Tm1Nd01HRXdNQ0VHQ2lzR0FRUUJnNzh3CkFSUUVFd3dSZDI5eWEyWnNiM2RmWkdsemNHRjBZMmd3VFFZS0t3WUJCQUdEdnpBQkZRUS9ERDFvZEhSd2N6b3YKTDJkcGRHaDFZaTVqYjIwdlkyeHBMMk5zYVM5aFkzUnBiMjV6TDNKMWJuTXZPVEk0T1RBM05UYzFNaTloZEhSbApiWEIwY3k4eE1CWUdDaXNHQVFRQmc3OHdBUllFQ0F3R2NIVmliR2xqTUlHTEJnb3JCZ0VFQWRaNUFnUUNCSDBFCmV3QjVBSGNBM1Qwd2FzYkhFVEpqR1I0Y21XYzNBcUpLWHJqZVBLMy9oNHB5Z0M4cDdvNEFBQUdQeFIxZWhRQUEKQkFNQVNEQkdBaUVBd2VGS3JzSDE2YlA4R21uOExNeXdpOEVhOTZ5aVNLUVpsdUozRzJJUS84QUNJUURPdTViVQpuSGgrZmhIaWt2Uk5tQWNFRmRTSHFrTzJVS052eDF4a01zR1RXVEFLQmdncWhrak9QUVFEQXdOb0FEQmxBakI3CmJKQ3o4U1BlUkIvQlNISUdIeW90akd5RHg4T09JZm5BUG95cGZaVHpBeGtpVzJ6U1pQaDlYMEEzUmhubWZ0Y0MKTVFDbXc2T2xkYW1iK3A3cmROKzk1dk42VTFkT3ZhdDNWTXNpUzQ1b2VMRlZhSW9uOXNickEwSGZGd3RDVUkxZApYRHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
]
}
}If we simplify the integration with Rekor by dropping the DSSE type, and only support hashed rekord, where the rekord would be the DSSE PAE: DSSEv1 + SP + LEN(type) + SP + type + SP + LEN(body) + sp + body (SP is ASCII Space) we actually get some benefits:
- The signature in the hashed rekord matches the signture put in the DSSE envelope (with pure/non pre hash signature algorithms, need to consider how this would work for such algorithms, can we design this protocol to always sign digests, what would issues be assuming we trust SHA256?)
- The canonicalization problem of DSSE envelopes goes away (the envelope hash is now part of the Rekor data type).
- Managing multiple signatures in the DSSE envelope is now trivial:
- Each signature have an extension where the associated verification material is stored
- For PQC transition, multiple signatures can be added to the envelope, older clients can still verify using existing signature algorithms
- As the hashed rekord is the DSSE PAE, the signature of the hashed rekord is the DSSE signature.
- Rekor is simpler, only a single data type to manage. The response can be greatly simplified by removing the
kindVersionfield. A lot of code can be dropped from Rekor. - The canonicalized body field in Rekor can be removed, we don't need it. Based on the DSSE content, we have all the data to reconstruct each hashed record (the PAE and the siganture).
To get a feel for how this would look, here is an example (with canonicalized body and kind version removed:
{
"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hfMi41MC4wX21hY09TX2FtZDY0LnppcCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkMThhY2QzODc0YzliOTE0ZTA2MzFjMzA4ZjhlMjYwOWJkNDU0NTYyNzJiYWNmYTcwMjIxYzQ2Yzc2YzYzNWY2In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL3RydW5rIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpIiwicGF0aCI6Ii5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sIn19LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiZ2l0aHViIjp7ImV2ZW50X25hbWUiOiJ3b3JrZmxvd19kaXNwYXRjaCIsInJlcG9zaXRvcnlfaWQiOiIyMTI2MTMwNDkiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNTk3MDQ3MTEifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGlAcmVmcy9oZWFkcy90cnVuayIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpL2FjdGlvbnMvcnVucy85Mjg5MDc1NzUyL2F0dGVtcHRzLzEifX19fQ==",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"sig": "MEQCIHiO3LhNrbV0Lz7sazQ8a3okIP3DBi45t5oQAQMUV1l/AiBO+NyF4JglqYKPPk2h2tnUFGi37g0wnGUWU/8ihQlOWQ==",
"extension": {
"kind": "application/vnd.dev.sigstore.verificationmaterial.v0.1+json",
"ext": {
"certificate": {
"rawBytes": "MIIGjjCCBhSgAwIBAgIUBPAVklFRy1I19DxrL2ppeyAY5rwwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTI5MTYwOTQ3WhcNMjQwNTI5MTYxOTQ3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYuREZ1X0IP9t7jiECtO5xJxSRty+wPbBIwO8nHIdxfZ+WedgLxwZvFw2X8p6pO0CeQCYvOnOi6AFqsnoZcoF/qOCBTMwggUvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUV5QyxcivC6bR5crtA0TqKPZ8nskwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wWgYDVR0RAQH/BFAwToZMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwGAYKKwYBBAGDvzABBAQKRGVwbG95bWVudDAVBgorBgEEAYO/MAEFBAdjbGkvY2xpMB4GCisGAQQBg78wAQYEEHJlZnMvaGVhZHMvdHJ1bmswOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMFwGCisGAQQBg78wAQkETgxMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA4BgorBgEEAYO/MAEKBCoMKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMCoGCisGAQQBg78wAQwEHAwaaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkwOAYKKwYBBAGDvzABDQQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCAGCisGAQQBg78wAQ4EEgwQcmVmcy9oZWFkcy90cnVuazAZBgorBgEEAYO/MAEPBAsMCTIxMjYxMzA0OTAmBgorBgEEAYO/MAEQBBgMFmh0dHBzOi8vZ2l0aHViLmNvbS9jbGkwGAYKKwYBBAGDvzABEQQKDAg1OTcwNDcxMTBcBgorBgEEAYO/MAESBE4MTGh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpLy5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sQHJlZnMvaGVhZHMvdHJ1bmswOAYKKwYBBAGDvzABEwQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwTQYKKwYBBAGDvzABFQQ/DD1odHRwczovL2dpdGh1Yi5jb20vY2xpL2NsaS9hY3Rpb25zL3J1bnMvOTI4OTA3NTc1Mi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGLBgorBgEEAdZ5AgQCBH0EewB5AHcA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGPxR1ehQAABAMASDBGAiEAweFKrsH16bP8Gmn8LMywi8Ea96yiSKQZluJ3G2IQ/8ACIQDOu5bUnHh+fhHikvRNmAcEFdSHqkO2UKNvx1xkMsGTWTAKBggqhkjOPQQDAwNoADBlAjB7bJCz8SPeRB/BSHIGHyotjGyDx8OOIfnAPoypfZTzAxkiW2zSZPh9X0A3RhnmftcCMQCmw6Oldamb+p7rdN+95vN6U1dOvat3VMsiS45oeLFVaIon9sbrA0HfFwtCUI1dXDw="
},
"tlogEntries": [
{
"logIndex": "97913944",
"logId": {
"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
},
"integratedTime": "1716998987",
"inclusionProof": {
"logIndex": "93750513",
"rootHash": "gMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=",
"treeSize": "93750515",
"hashes": [
"uCO3hICjSShYg1eSenlwTjKq+JLB3ZCyAlvjnh/3yKE=",
"8KDdwXCQI9jhS7ufVuC2BRnD9yXb5Sfb+aLH8+BuSiQ=",
"JruHw9VeLnhrdEVV5mkJr8r+nZ1xqiAydH5iDPVP5fs=",
"GqhYL9+znswADy/JjZXofHxLmeE37Jx2HLJRGYjKeAA=",
"L7xfPpL8AE9ijsQTZeSX7QcbyCPHSxS7ch8Rc4JJVhQ=",
"DZjlMkk1MuzKvAUiWk9KMj9eQjzPpj5GHG9I2Vp+yaU=",
"Tgve40VPFfuei+0nhupdGpfPPR+hPpZjxgTiDT8WNoY=",
"wV+S/7tLtYGzkLaSb6UDqexNyhMvumHK/RpTNvEZuLU=",
"uwaWufty6sn6XqO1Tb9M3Vz6sBKPu0HT36mStxJNd7s=",
"jUfeMOXQP0XF1JAnCEETVbfRKMUwCzrVUzYi8vnDMVs=",
"xQKjzJAwwdlQG/YUYBKPXxbCmhMYKo1wnv+6vDuKWhQ=",
"cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=",
"sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=",
"98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="
],
"checkpoint": {
"envelope": "rekor.sigstore.dev - 2605736670972794746\n93750515\ngMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=\n\n— rekor.sigstore.dev wNI9ajBFAiEAu9Z/WsClrI/ejoMeXW9QRkDIMr3mXkzSBHDUjw+onw8CIBp9UrmrSf+rl0cM0Xj3zgqChtfMskkeEhgQ7T7nocF1\n"
}
}
}
],
"timestampVerificationData": {}
}
}
}
]
}and the size:
$ wc -c dsse_sig_bundle.json
5012As seen by dropping the canonicalized body from Rekor we reduce the size of the "bundle" significantly (the canoncalized body contains B64(PEM(DER(cert)) which adds up a bit).
For a complete example, here is an envelope with multiple signatures:
{
"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hfMi41MC4wX21hY09TX2FtZDY0LnppcCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkMThhY2QzODc0YzliOTE0ZTA2MzFjMzA4ZjhlMjYwOWJkNDU0NTYyNzJiYWNmYTcwMjIxYzQ2Yzc2YzYzNWY2In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL3RydW5rIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpIiwicGF0aCI6Ii5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sIn19LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiZ2l0aHViIjp7ImV2ZW50X25hbWUiOiJ3b3JrZmxvd19kaXNwYXRjaCIsInJlcG9zaXRvcnlfaWQiOiIyMTI2MTMwNDkiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNTk3MDQ3MTEifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGlAcmVmcy9oZWFkcy90cnVuayIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpL2FjdGlvbnMvcnVucy85Mjg5MDc1NzUyL2F0dGVtcHRzLzEifX19fQ==",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"sig": "MEQCIHiO3LhNrbV0Lz7sazQ8a3okIP3DBi45t5oQAQMUV1l/AiBO+NyF4JglqYKPPk2h2tnUFGi37g0wnGUWU/8ihQlOWQ==",
"extension": {
"kind": "application/vnd.dev.sigstore.verificationmaterial.v0.1+json",
"ext": {
"certificate": {
"rawBytes": "MIIGjjCCBhSgAwIBAgIUBPAVklFRy1I19DxrL2ppeyAY5rwwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTI5MTYwOTQ3WhcNMjQwNTI5MTYxOTQ3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYuREZ1X0IP9t7jiECtO5xJxSRty+wPbBIwO8nHIdxfZ+WedgLxwZvFw2X8p6pO0CeQCYvOnOi6AFqsnoZcoF/qOCBTMwggUvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUV5QyxcivC6bR5crtA0TqKPZ8nskwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wWgYDVR0RAQH/BFAwToZMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwGAYKKwYBBAGDvzABBAQKRGVwbG95bWVudDAVBgorBgEEAYO/MAEFBAdjbGkvY2xpMB4GCisGAQQBg78wAQYEEHJlZnMvaGVhZHMvdHJ1bmswOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMFwGCisGAQQBg78wAQkETgxMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA4BgorBgEEAYO/MAEKBCoMKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMCoGCisGAQQBg78wAQwEHAwaaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkwOAYKKwYBBAGDvzABDQQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCAGCisGAQQBg78wAQ4EEgwQcmVmcy9oZWFkcy90cnVuazAZBgorBgEEAYO/MAEPBAsMCTIxMjYxMzA0OTAmBgorBgEEAYO/MAEQBBgMFmh0dHBzOi8vZ2l0aHViLmNvbS9jbGkwGAYKKwYBBAGDvzABEQQKDAg1OTcwNDcxMTBcBgorBgEEAYO/MAESBE4MTGh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpLy5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sQHJlZnMvaGVhZHMvdHJ1bmswOAYKKwYBBAGDvzABEwQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwTQYKKwYBBAGDvzABFQQ/DD1odHRwczovL2dpdGh1Yi5jb20vY2xpL2NsaS9hY3Rpb25zL3J1bnMvOTI4OTA3NTc1Mi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGLBgorBgEEAdZ5AgQCBH0EewB5AHcA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGPxR1ehQAABAMASDBGAiEAweFKrsH16bP8Gmn8LMywi8Ea96yiSKQZluJ3G2IQ/8ACIQDOu5bUnHh+fhHikvRNmAcEFdSHqkO2UKNvx1xkMsGTWTAKBggqhkjOPQQDAwNoADBlAjB7bJCz8SPeRB/BSHIGHyotjGyDx8OOIfnAPoypfZTzAxkiW2zSZPh9X0A3RhnmftcCMQCmw6Oldamb+p7rdN+95vN6U1dOvat3VMsiS45oeLFVaIon9sbrA0HfFwtCUI1dXDw="
},
"tlogEntries": [
{
"logIndex": "97913944",
"logId": {
"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
},
"integratedTime": "1716998987",
"inclusionProof": {
"logIndex": "93750513",
"rootHash": "gMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=",
"treeSize": "93750515",
"hashes": [
"uCO3hICjSShYg1eSenlwTjKq+JLB3ZCyAlvjnh/3yKE=",
"8KDdwXCQI9jhS7ufVuC2BRnD9yXb5Sfb+aLH8+BuSiQ=",
"JruHw9VeLnhrdEVV5mkJr8r+nZ1xqiAydH5iDPVP5fs=",
"GqhYL9+znswADy/JjZXofHxLmeE37Jx2HLJRGYjKeAA=",
"L7xfPpL8AE9ijsQTZeSX7QcbyCPHSxS7ch8Rc4JJVhQ=",
"DZjlMkk1MuzKvAUiWk9KMj9eQjzPpj5GHG9I2Vp+yaU=",
"Tgve40VPFfuei+0nhupdGpfPPR+hPpZjxgTiDT8WNoY=",
"wV+S/7tLtYGzkLaSb6UDqexNyhMvumHK/RpTNvEZuLU=",
"uwaWufty6sn6XqO1Tb9M3Vz6sBKPu0HT36mStxJNd7s=",
"jUfeMOXQP0XF1JAnCEETVbfRKMUwCzrVUzYi8vnDMVs=",
"xQKjzJAwwdlQG/YUYBKPXxbCmhMYKo1wnv+6vDuKWhQ=",
"cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=",
"sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=",
"98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="
],
"checkpoint": {
"envelope": "rekor.sigstore.dev - 2605736670972794746\n93750515\ngMhRWa9QJ/1Uo9uNTUUXI1yPO+SvNGJNiY+zGBZMdSc=\n\n— rekor.sigstore.dev wNI9ajBFAiEAu9Z/WsClrI/ejoMeXW9QRkDIMr3mXkzSBHDUjw+onw8CIBp9UrmrSf+rl0cM0Xj3zgqChtfMskkeEhgQ7T7nocF1\n"
}
}
}
],
"timestampVerificationData": {}
}
}
},
{
"sig": "MEQCAAAA3LhNrbV0Lz7sazQ8a3okIP3DBi45t5oQAQMUV1l/AiBO+NyF4JglqYKPPk2h2tnUFGi37g0wnGUWU/8ihQlOWQ==",
"extension": {
"kind": "application/vnd.dev.sigstore.verificationmaterial.v0.1+json",
"ext": {
"certificate": {
"rawBytes": "MIIGjjAAAASgAwIBAgIUBPAVklFRy1I19DxrL2ppeyAY5rwwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTI5MTYwOTQ3WhcNMjQwNTI5MTYxOTQ3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYuREZ1X0IP9t7jiECtO5xJxSRty+wPbBIwO8nHIdxfZ+WedgLxwZvFw2X8p6pO0CeQCYvOnOi6AFqsnoZcoF/qOCBTMwggUvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUV5QyxcivC6bR5crtA0TqKPZ8nskwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wWgYDVR0RAQH/BFAwToZMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwGAYKKwYBBAGDvzABBAQKRGVwbG95bWVudDAVBgorBgEEAYO/MAEFBAdjbGkvY2xpMB4GCisGAQQBg78wAQYEEHJlZnMvaGVhZHMvdHJ1bmswOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMFwGCisGAQQBg78wAQkETgxMaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkvLmdpdGh1Yi93b3JrZmxvd3MvZGVwbG95bWVudC55bWxAcmVmcy9oZWFkcy90cnVuazA4BgorBgEEAYO/MAEKBCoMKGZhZWYyZGRkODFiMDczNjc0ODQxM2E3YzY0NmNkMGJmYzI2YzAwYTAwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMCoGCisGAQQBg78wAQwEHAwaaHR0cHM6Ly9naXRodWIuY29tL2NsaS9jbGkwOAYKKwYBBAGDvzABDQQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCAGCisGAQQBg78wAQ4EEgwQcmVmcy9oZWFkcy90cnVuazAZBgorBgEEAYO/MAEPBAsMCTIxMjYxMzA0OTAmBgorBgEEAYO/MAEQBBgMFmh0dHBzOi8vZ2l0aHViLmNvbS9jbGkwGAYKKwYBBAGDvzABEQQKDAg1OTcwNDcxMTBcBgorBgEEAYO/MAESBE4MTGh0dHBzOi8vZ2l0aHViLmNvbS9jbGkvY2xpLy5naXRodWIvd29ya2Zsb3dzL2RlcGxveW1lbnQueW1sQHJlZnMvaGVhZHMvdHJ1bmswOAYKKwYBBAGDvzABEwQqDChmYWVmMmRkZDgxYjA3MzY3NDg0MTNhN2M2NDZjZDBiZmMyNmMwMGEwMCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwTQYKKwYBBAGDvzABFQQ/DD1odHRwczovL2dpdGh1Yi5jb20vY2xpL2NsaS9hY3Rpb25zL3J1bnMvOTI4OTA3NTc1Mi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGLBgorBgEEAdZ5AgQCBH0EewB5AHcA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGPxR1ehQAABAMASDBGAiEAweFKrsH16bP8Gmn8LMywi8Ea96yiSKQZluJ3G2IQ/8ACIQDOu5bUnHh+fhHikvRNmAcEFdSHqkO2UKNvx1xkMsGTWTAKBggqhkjOPQQDAwNoADBlAjB7bJCz8SPeRB/BSHIGHyotjGyDx8OOIfnAPoypfZTzAxkiW2zSZPh9X0A3RhnmftcCMQCmw6Oldamb+p7rdN+95vN6U1dOvat3VMsiS45oeLFVaIon9sbrA0HfFwtCUI1dXDw="
},
"tlogEntries": {},
"timestampVerificationData": {
"Rfc3161Timestamps": [
"MIIVcjADAgEAMIIVaQYJKoZIhvcNAQcCoIIVWjCCFVYCAQMxDzANBglghkgBZQMEAgMFADCCAaQGCyqGSIb3DQEJEAEEoIIBkwSCAY8wggGLAgEBBgQqAwQBMFEwDQYJYIZIAWUDBAIDBQAEQNTMvOf7wS8/8LelD/PrUSO/cGfR1+H5dA9MYTVrMBLegxrUdKE7bCaz4zOKPonx7idKQBAYpuqqDys3GmATUAsCBAJutpEYDzIwMjIxMDE4MDcwMDMxWgEB/6CCARGkggENMIIBCTERMA8GA1UEChMIRnJlZSBUU0ExDDAKBgNVBAsTA1RTQTF2MHQGA1UEDRNtVGhpcyBjZXJ0aWZpY2F0ZSBkaWdpdGFsbHkgc2lnbnMgZG9jdW1lbnRzIGFuZCB0aW1lIHN0YW1wIHJlcXVlc3RzIG1hZGUgdXNpbmcgdGhlIGZyZWV0c2Eub3JnIG9ubGluZSBzZXJ2aWNlczEYMBYGA1UEAxMPd3d3LmZyZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIwEAYDVQQHEwlXdWVyemJ1cmcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm6gghAIMIIIATCCBemgAwIBAgIJAMHphhYNqOmCMA0GCSqGSIb3DQEBDQUAMIGVMREwDwYDVQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9vdCBDQTEYMBYGA1UEAxMPd3d3LmZyZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIwEAYDVQQHEwlXdWVyemJ1cmcxDz"
]
}
}
}
}
]
}Public key in the log
We need to add some verification material back to the transparency log entry when the canonicalized body is removed. My suggestion is to strip the public key from the cert, and then compute SHA256 digest of it, and store that in the log.
This removes any log poisoning possibilities via the cert or a raw public key. This will have some consequences for monitoring, but It's solvable. Any clients using Fulcio can monitor Fulcio's CT log for their identity, then monitor Rekor for usages of that associated public key. For clients using long lived key monitoring is trivial.
This has another benefit,if Fulcio implements log poisoning protection, Rekor is unaffected from that (i.e no changes is needed in Rekor), as only the public key matters. As long as a client can find their entries from Fulcio CT and extract the public key, the associated entry in Rekor is possible to find.