search

in-toto / specification

Specification and other related documents.
https://in-toto.io
MIT License
38 stars 25 forks source link

missing key management #72

Closed lukpueh closed 1 year ago

lukpueh commented 1 year ago

[based on the X41 specification and source code audit]

in-toto does not deal with key management and relies on additional channels to distribute and verify the generated keys in a secure manner. Therefore, key expiration and revocation is outside of the project’s responsibility. However, the keys in the specification do not describe fields that can support this. This could be improved upon.

Solution Advice

X41 recommends to use keys and certificates that have key management infrastructure in place instead of generating a new key format. These might contain PGP keys and S/MIME certificates.

lukpueh commented 1 year ago

related: https://github.com/in-toto/in-toto/issues/79 existing solution: ITE-2

adityasaky commented 1 year ago

With #75, the spec now formally recommends ITE-2 and ITE-3 for key management.