Ignoring CRLs for right now. Currently VerifySignatureWithCertificate calls *Certificate.Verify with the default CurrentTime option set. This checks that the certificate is valid at the system's current time, not that the certificate was valid when the signature was created.
This may be fine for some use-cases but it breaks down for our intended SPIFFE/SPIRE use case where a certificate may expire in minutes -- potentially before we can successfully verify the layout. Also, we want in-toto verify to be independently verifiable after the fact, not just once at completion.
We can't just add a timestamp to the signature or metadata blocks because this is easily forged and effectively lets a compromised key be used indefinitely. However, @colek42 has been looking at https://github.com/clocklock/go-rfc3161 which may be a good solution for this problem.
We should be able to use this to have a trusted timestamp on our metadata block and use that timestamp to verify that it was created in a certificate's validity window.
Ignoring CRLs for right now. Currently
VerifySignatureWithCertificate
calls*Certificate.Verify
with the defaultCurrentTime
option set. This checks that the certificate is valid at the system's current time, not that the certificate was valid when the signature was created.This may be fine for some use-cases but it breaks down for our intended SPIFFE/SPIRE use case where a certificate may expire in minutes -- potentially before we can successfully verify the layout. Also, we want
in-toto verify
to be independently verifiable after the fact, not just once at completion.We can't just add a timestamp to the signature or metadata blocks because this is easily forged and effectively lets a compromised key be used indefinitely. However, @colek42 has been looking at https://github.com/clocklock/go-rfc3161 which may be a good solution for this problem.
We should be able to use this to have a trusted timestamp on our metadata block and use that timestamp to verify that it was created in a certificate's validity window.