From afb4f36c7654bf20d77f2657024daa15fc3b2cce Mon Sep 17 00:00:00 2001 From: Nathan Smith Date: Tue, 1 Feb 2022 11:55:15 -0800 Subject: [PATCH] Move OID information to docs directory and reformat The /docs dir is where we'll be adding a lot of contributor focused docs so this is a start in that direction. The reformat makes it much easier to folks reading the plaintext markdown Signed-off-by: Nathan Smith --- OID_INFO.md | 23 ------------------- docs/oid-info.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 23 deletions(-) delete mode 100644 OID_INFO.md create mode 100644 docs/oid-info.md diff --git a/OID_INFO.md b/OID_INFO.md deleted file mode 100644 index 967a49398..000000000 --- a/OID_INFO.md +++ /dev/null @@ -1,23 +0,0 @@ -# sigstore OID Information - -## Description - -sigstore maintains its own Private Enterprise Number (57264) with the Internet Assigned Numbers Authority to help identify and organize additional metadata in code signing certificates issued by Fulcio instances. This document aims to provide a simple directory of values in use with an explanation of their meaning. - -## Directory - -Note that all values begin from the root OID 1.3.6.1.4.1.57264 [registered by Dan Lorenc](http://oid-info.com/get/1.3.6.1.4.1.57264): - -# 1.3.6.1.4.1.57264.1 (Fulcio) -- *1.3.6.1.4.1.57264.1.1*: (Issuer) - - This contains the `issuer` claim from the OIDC Identity Token that was presented at the time the code signing certificate was requested to be created. This claim is the URI of the OIDC Identity Provider that digitally signed the identity token. -- *1.3.6.1.4.1.57264.1.2*: (GithubWorkflowTrigger) - - This contains the `event_name` claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) -- *1.3.6.1.4.1.57264.1.3*: (GithubWorkflowSha) - - This contains the `sha` claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) -- *1.3.6.1.4.1.57264.1.4*: (GithubWorkflowName) - - This contains the `workflow` claim from the GitHub OIDC Identity token that contains the name of the executed workflow. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) -- *1.3.6.1.4.1.57264.1.5*: (GithubWorkflowRepository) - - This contains the `repository` claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) -- *1.3.6.1.4.1.57264.1.6*: (GithubWorkflowRef) - - This contains the `ref` claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) diff --git a/docs/oid-info.md b/docs/oid-info.md new file mode 100644 index 000000000..a0432c3d7 --- /dev/null +++ b/docs/oid-info.md @@ -0,0 +1,57 @@ +# Sigstore OID information + +## Description + +Sigstore maintains its own Private Enterprise Number (57264) with the Internet +Assigned Numbers Authority to help identify and organize additional metadata in +code signing certificates issued by Fulcio instances. This document aims to +provide a simple directory of values in use with an explanation of their +meaning. + +## Directory + +Note that all values begin from the root OID 1.3.6.1.4.1.57264 [registered by +Dan Lorenc][oid-link]: + +## 1.3.6.1.4.1.57264.1 | Fulcio + +The `.1` is added to the root OID for sigstore for all OIDs set by Fulcio. + +### 1.3.6.1.4.1.57264.1.1 | Issuer + +This contains the `issuer` claim from the OIDC Identity Token that was +presented at the time the code signing certificate was requested to be created. +This claim is the URI of the OIDC Identity Provider that digitally signed the +identity token. + +### 1.3.6.1.4.1.57264.1.2 | Github Workflow Trigger + +This contains the `event_name` claim from the GitHub OIDC Identity token that +contains the name of the event that triggered the workflow run. +[(docs)][github-oidc-doc] + +### 1.3.6.1.4.1.57264.1.3 | Github Workflow SHA + +This contains the `sha` claim from the GitHub OIDC Identity token that contains +the commit SHA that the workflow run was based upon. [(docs)][github-oidc-doc] + +### 1.3.6.1.4.1.57264.1.4 | Github Workflow Name + +This contains the `workflow` claim from the GitHub OIDC Identity token that +contains the name of the executed workflow. [(docs)][github-oidc-doc] + +### 1.3.6.1.4.1.57264.1.5 | Github Workflow Repository + +This contains the `repository` claim from the GitHub OIDC Identity token that +contains the repository that the workflow run was based upon. +[(docs)][github-oidc-link] + +### 1.3.6.1.4.1.57264.1.6 | Github Workflow Ref + +This contains the `ref` claim from the GitHub OIDC Identity token that contains +the git ref that the workflow run was based upon. +[(docs)][github-oidc-doc] + + +[github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token +[oid-ink]: http://oid-info.com/get/1.3.6.1.4.1.57264