Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: added timestamp revocation check #306

Closed
wants to merge 3 commits into from
Closed

docs: added timestamp revocation check #306

wants to merge 3 commits into from

Conversation

Two-Hearts
Copy link
Contributor

@Two-Hearts Two-Hearts commented Jul 2, 2024
edited
Loading

Based on the 7/1/24 community meeting, creating this PR as a way to continue the discussion. It adds a new column called timestamp revocation check in the trust policy validation table.

However, as you can see, since timestamp revocation check is a sub-step under authentic timestamp, adding a new column with the same level as authentic timestamp actually brings in more confusion to implementations of this spec.

This is to compare with a simpler solution in PR: #305

@Two-Hearts
timestamp revocation check
4af30d3 
Signed-off-by: Patrick Zheng <[email protected]>
@Two-Hearts
update
4fdd7b4 
Signed-off-by: Patrick Zheng <[email protected]>
@Two-Hearts Two-Hearts mentioned this pull request Jul 2, 2024
Open
@Two-Hearts
update
14209c5 
Signed-off-by: Patrick Zheng <[email protected]>
@Two-Hearts
Copy link
Contributor Author

Two-Hearts commented Jul 4, 2024
edited
Loading

Based on 7/1/24 community meeting, the following is an invalid trust policy example, which is a breaking change to trust policy version 1.0. Users already having the following trust policy would find verification failed by upgrading Notation:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "wabbit-networks-images",
            "registryScopes": [ "*" ],
            "signatureVerification": {
              "level" : "strict",
              "override": {
                "authenticTimestamp": "log"  // This actually invalidates the trust policy, because the default value of `timestampRevocationCheck` is `enforced`.
              },
            },
            "trustStores": ["ca:acme-rockets"]
            "trustedIdentities": [
              "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
            ]
        }
    ]
}

@Two-Hearts
Copy link
Contributor Author

Two-Hearts commented Jul 9, 2024
edited
Loading

Based on 7/8/24 community meeting, closing this PR due to issue #303 has been moved to Future milestone.

@Two-Hearts Two-Hearts closed this Jul 9, 2024
@Two-Hearts Two-Hearts deleted the timestamp2 branch August 7, 2024 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gokarnm gokarnm Awaiting requested review from gokarnm gokarnm is a code owner

@NiazFK NiazFK Awaiting requested review from NiazFK NiazFK is a code owner

@priteshbandi priteshbandi Awaiting requested review from priteshbandi priteshbandi is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

@vaninrao10 vaninrao10 Awaiting requested review from vaninrao10 vaninrao10 is a code owner

@yizha1 yizha1 Awaiting requested review from yizha1 yizha1 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Two-Hearts