AbridgedAssertion does not contain SignatureScheme

davidben / merkle-tree-certs

Other

9 stars 3 forks source link

AbridgedAssertion does not contain SignatureScheme #76

Open bwesterb opened 1 year ago

bwesterb commented 1 year ago

Is this an issue?

We could instead define AbridgedAssertion as

struct {
    SubjectType subject_type;
    opaque abridged_subject_info<0..2^16-1>;
    Claim claims<0..2^16-1>;
} AbridgedAssertion;

struct {
    SignatureScheme signature;
    opaque public_key_hash[hash.length];
} AbridgedTLSSubjectInfo

where obviously abridged_subject_info has to be AbridgedTLSSubjectInfo in case of subject_type=tls.

davidben commented 1 year ago

I guess the tradeoff is we avoid redacting things we don't need, but now the verification process needs to know about TLS.

I don't think redacting it is a problem per se, though I also don't know how much weight to put on this separation. My intuition is the separation is useful but dunno how it'll shake out.