Skip to content

Document our TSA/signed timestamp policy #1226

New issue
New issue
Open
Open
Document our TSA/signed timestamp policy#1226
Labels
documentationImprovements or additions to documentation
@woodruffw

Description

@woodruffw
woodruffw
opened on Nov 27, 2024

We should do this before making a public release that includes TSA/timestamp support:

  • Explicitly document our signing policy: when signing, sigstore-python will attempt to contact every TSA in the trust root, obtain a signed timestamp, and will embed those signed timestamps in the bundle
  • Explicitly document our verification policy: when verifying, sigstore-python will attempt to verify each timestamp response, but only requires a threshold of 1-of-N. Moreover, the integration time from the tlog itself is still treated as a source of signed time.

I think the only open question is where in the code/docs these notes should live 🙂

CC @jku

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions