search

notaryproject / specifications

Cross tooling and interoperability specifications
https://notaryproject.dev/
Apache License 2.0
159 stars 44 forks source link

docs: added timestamp revocation check #306

Closed Two-Hearts closed 3 months ago

Two-Hearts commented 4 months ago

Based on the 7/1/24 community meeting, creating this PR as a way to continue the discussion. It adds a new column called timestamp revocation check in the trust policy validation table.

However, as you can see, since timestamp revocation check is a sub-step under authentic timestamp, adding a new column with the same level as authentic timestamp actually brings in more confusion to implementations of this spec.

This is to compare with a simpler solution in PR: https://github.com/notaryproject/specifications/pull/305

Two-Hearts commented 4 months ago

Based on 7/1/24 community meeting, the following is an invalid trust policy example, which is a breaking change to trust policy version 1.0. Users already having the following trust policy would find verification failed by upgrading Notation:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "wabbit-networks-images",
            "registryScopes": [ "*" ],
            "signatureVerification": {
              "level" : "strict",
              "override": {
                "authenticTimestamp": "log"  // This actually invalidates the trust policy, because the default value of `timestampRevocationCheck` is `enforced`.
              },
            },
            "trustStores": ["ca:acme-rockets"]
            "trustedIdentities": [
              "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
            ]
        }
    ]
}
Two-Hearts commented 3 months ago

Based on 7/8/24 community meeting, closing this PR due to issue #303 has been moved to Future milestone.