Finalize TrustedRoot target

[bdehamer]

Description

Remaining work for finalizing the new TrustedRoot target before the v6 root signing (see #584):

• Set the validFor period for the "test" ctlog public key (both start and end timestamps).
• Finalize the file name for the target. Currently named trusted_root.json.

[asraa]

Also:

• Potentially remove the end date for the Fulcio root CA - which is currently the cert expiration. The end date should reflect the production use end of life.

[bdehamer]

Also:

• Include cert chain for Timestamp Authority (Tracking issue for Timestamp Authority chain in TUF targets #466)

Will be part of v7.

[asraa]

Include cert chain for Timestamp Authority

I think from convo offline, we may punt this one to v7 root. I'll update the milestone for that issue.

[kommendorkapten]

The end time for the "first" Fulcio instance is roughly midnight at December 31st 2022 and the second starts at 2022-04-13T20:06:15.000Z, the overlap is pretty big, is this accurate?

The CT log /test ends at 2022-01-01T00:00:00.000Z and the next /2022 starts at 2022-10-20T00:00:00.000Z
Some of the dates seems off here too.

[bdehamer]

The end time for the "first" Fulcio instance is roughly midnight at December 31st 2022 and the second starts at 2022-04-13T20:06:15.000Z, the overlap is pretty big, is this accurate?

The "2022-12-31" end data came from a suggestion made by @haydentherapper and the "2022-04-13" start date for the next set of certs comes from the "Not Before" value of the intermediate cert (which is likely well before it was actually used to sign anything). Definitely erring on the side of being extra conservative in both these cases, but happy to tighten these up if someone can provide more specific values.

The CT log /test ends at 2022-01-01T00:00:00.000Z and the next /2022 starts at 2022-10-20T00:00:00.000Z
Some of the dates seems off here too.

Yeah, you're right. The "/2022" start date came from here, but the "/test" end date needs to be adjusted (this is covered in my first todo item above).

[woodruffw]

On the sigstore-python end: having v7 for the TSA's chain works for us!

[haydentherapper]

You can probably lower the december value, but I don't recall when we switched over so err'ing on the side of caution is reasonable.

[bdehamer]

@asraa @kommendorkapten the only thing remaining on the todo list here is to make sure that everyone is satisfied w/ the target name. When I submitted the initial PR, I named it trusted_root.json but really didn't put too much thought into it.

There was a suggestion that the name contain some indication of the type/version (but that has maybe been addressed by the mediaType field in the protobuf now).

Having a name that remains static over time will help a lot with target discovery (as in, we won't have to deal with it 🤞 ).

[kommendorkapten]

@bdehamer agree with you that current naming is satisfactory, the object contains media type, I think we can close this issue.

[asraa]

Ah yes! Good point - now that the object contains the media type, let's keep a stable name for the target. Thanks!