Documentation of public_openpgp_keys

[wurstbrot]

Hello TC,

In the course of integrating a CSAF trusted provider into the Juice Shop, I encountered a reference to cryptographic material, public_openpgp_keys, in the provider-metadata.json file. Notably, public_openpgp_keys is structured as an array.

However, I was unable to locate documentation clarifying the following points:

• The rationale behind using an array for public_openpgp_keys (for instance, to facilitate rolling updates of cryptographic material or to use different keys from different employees).
• The procedure for validating a CSAF document with multiple keys as a CSAF consumer/validator (for example adding all listed signatures locally before verifying).

[santosomar]

Thank you so much for opening this issue! You are right, the spec documentation doesn't go into detail.

We can certainly provide this in our FAQ and/or guidance documentation.