Alert only for certificates issued from a set of trusted roots #378
Labels
enhancement
New feature or request
Comments
Open
3 tasks
|
One comment from the linked thread on rekor is that it is possible to have a freeze attack against local metadata up to the expiration of the timestamp. This would delay fetching the latest trust root and could result in an entry being ignored. We could add a configuration to always fetch the latest TUF metadata regardless of timestamp if this is a concern based on the users threat model. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Rekor accepts certificates from any issuer, including self-signed certificates. A malicious entity or spammer could issue certificates using someone's identity and OIDC issuer to trigger an alert for a monitor. This can be mitigated by verifying the certificate chains up to a trusted root. For the public instance, the monitor can pull in the trusted PKI from Sigstore's TUF repo.
This should be configurable, since this may be used for self-hosted instances.
The text was updated successfully, but these errors were encountered: