RFC for linking packages to their source and build without using Sigstore Fulcio

[ycchang]

Rendered RFC

[codysoyland]

It's an interesting and clever solution to embed a public key into the audience claim of the ID token, but I think this proposal ignores how vital Fulcio is for establishing and maintaining a root of trust. Fulcio uses TUF to distribute its root and intermediate certificates, which clients can use to verify signing certificates across all IDPs. Without Fulcio, there is not a consistent way to verify the ID tokens over the long term (as IDPs rotate their keys). This proposal shifts the responsibility of key management to client code that must directly integrate with each IDP (none of which use TUF AFAIK). This would present a big challenge to the npm CLI.

[ycchang]

@codysoyland If the mentioned client integration is indeed difficult, to reduce the trust base and to improve the audibility, we just need a trusted third party to certify the IDPs’ current and past keys, instead of a trusted third party to certify all the ephemeral keys which significantly outnumber IDPs’ keys.

[dlorenc]

Zack tried to write up a lot of this in a single blog post here, the comments are hard to follow: https://blog.sigstore.dev/why-you-cant-use-sigstore-without-sigstore-de1ed745f6fc

[nlf]

First off, thank you @ycchang for writing this RFC. We really appreciate your enthusiasm and the efforts you took to share your thoughts and how we might change this feature in the future. There's been a lot of really great discussions coming out of this, and that's amazing!

The blog post linked above (here again for posterity) explains in great detail some of the technical reasons that the approach you're proposing here is ~not something we are planning to adopt at this time~ something that needs further discussion. ~In the future as new products and technologies emerge we are always happy to revisit these decisions, though!~

Thank you again for all of the time and effort you put into this, npm :heart:s you

• minor edits to correct my premature decision

[nlf]

Actually, I realized that closing this early was a mistake as I didn't provide an opportunity for a real time discussion around this. That's my fault.

I'm reopening this for now so that we have a chance to discuss this in our open office hours calls. They are scheduled for every Wednesday at 11am pacific time. @ycchang if you're able to attend, we'd love to hear from you. @znewman01 I believe said he should be available for discussion. If you're not able to, don't wish to, or don't have any further feedback that's totally fine too!

[ycchang]

Hi, sorry for the late reply as I am in a different time zone.

I would like to thank you all for your time spent on this proposal. And I would like to especially thank @znewman01 for making the blog post and @dlorenc for liking the IACR tweet:P

I have no further feedback on this proposal at this moment and feel totally fine if you just close this RFC. Have a nice weekend:)

[saquibkhan]

I have no further feedback on this proposal at this moment and feel totally fine if you just close this RFC.

thanks eveyone, based on the discussions, blog post and author's final comments closing this RFC