Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add new trusted_root.json target #584
add new trusted_root.json target #584
Changes from 5 commits
3680075
e60deec
e16a8a1
90cb9c6
cdc6d42
9f2fbc7
31e8b64
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we omit the end here? it's the cert end date as I see, but not the end of service date. but either way it's an upper bound on it so can always be updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still leaning towards omission of the end, but doesn't matter to me since we can always update it when it's EOL is known.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the consuming side, I personally find
end
here confusing: it's not the "end" in terms of service date (as you said), but only the point after which newly issued certs shouldn't be chained up to this particular root or intermediate.Given that that information should already be embedded into the certs themselves, I'm in favor of omitting it.
(My understanding is that
start
needs to be kept around for filtering purposes, i.e. we don't want to include a cert in the X.509 verification context before it's actually become active. But that too should be handled during the client verification process, so I'm not 100% sure what purpose it has in the bundle here.)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, I'd like to leave this comment open for addressing on Brian's side
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bdehamer to add to the TODO for fixup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, the
end
date is not meant to indicate the certificate's validity period. That is redundant as @woodruffw said. It's supposed to indicate when that certificate/chain was decommissioned. We typically can't just rely on a list of certs with astart
value (and so assume that the nextstart
indicates the "current"end
), there is going to be some short overlap during time a new certificate is deployed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree - I added this to the follow-up issue Brian posted to resolve
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need accurate start/end dates here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this key was used until Sigstore went GA around october 20th 2022
however, that was using the
https://ctfe.sigstore.dev
as the base URL. It's almost like there should be an entry for that URL until oct 20th, and then onwards for/test
@haydentherapper not really sure....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping @haydentherapper is this actually being used anymore? or what do you think about the proposal to have the entry for
https://ctfe.sigstore.dev
as the old signing key from it's start date to GA, and then this current entry for/test
from GA to current.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need a more accurate start date here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe around Sigstore GA, Oct 20th's a good bound.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to match Sigstore's GA date.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I think it is still 2022-01-01 - maybe a missing commit?