woodruffw
commented
2 months ago The above is relevant to this section of the client spec:
1. Perform certification path validation ([RFC 5280 §6](https://datatracker.ietf.org/doc/html/rfc5280\#section-6)) of the returned certificate chain with the pre-distributed Fulcio root certificate(s) as a trust anchor.
2. Extract a `SignedCertificateTimestamp`, which may be embedded as an X.509 extension in the leaf certificate or attached separately in the `SigningCertificate` returned from the Identity Service. Verify this `SignedCertificateTimestamp` as in [RFC 6962 §3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2), using the public key from the Certificate Transparency Log.
3. Check that the leaf certificate contains the subject from the certificate signing request and encodes the appropriate `AuthenticationServiceIdentifier` in an extension with OID [`1.3.6.1.4.1.57264.1.8`](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md\#1361415726418--issuer-v2).
Copying from the doc, from @segiddins: this bullet has some inaccuracies in it:
AuthenticationServiceIdentifierdoesn't get defined anywhere above, so I think this should probably say something like "encodes the appropriate underlying OIDC IdP issuer" since that's what it means 🙂I'm happy to send patches for these improvements, either to this PR or as follow-ups once this is merged. Just let me know whatever works best!
_Originally posted by @woodruffw in https://github.com/sigstore/architecture-docs/pull/9#discussion_r1729515261_