sjbodzo
commented
3 years ago This is great and could generically support time-based link / step signing. Ephemeral certs issued per CI build would be a great use case here!
Open mikhailswift opened 3 years ago
sjbodzo
commented
3 years ago This is great and could generically support time-based link / step signing. Ephemeral certs issued per CI build would be a great use case here!
Ignoring CRLs for right now. Currently
VerifySignatureWithCertificatecalls*Certificate.Verifywith the defaultCurrentTimeoption set. This checks that the certificate is valid at the system's current time, not that the certificate was valid when the signature was created.This may be fine for some use-cases but it breaks down for our intended SPIFFE/SPIRE use case where a certificate may expire in minutes -- potentially before we can successfully verify the layout. Also, we want
in-toto verifyto be independently verifiable after the fact, not just once at completion.We can't just add a timestamp to the signature or metadata blocks because this is easily forged and effectively lets a compromised key be used indefinitely. However, @colek42 has been looking at https://github.com/clocklock/go-rfc3161 which may be a good solution for this problem.
We should be able to use this to have a trusted timestamp on our metadata block and use that timestamp to verify that it was created in a certificate's validity window.