Check that the leaf certificate contains a subject (as SubjectAlternativeName) that matches the subject in the OIDC credential presented with the certificate signing request, and encodes the appropriate OIDC issuer in an extension with OID 1.3.6.1.4.1.57264.1.8.
But the SAN values are constructed by fulcio in a way that does not show up in any of the protos:
If we want clients to validate the returned cert, this needs to either go into the sigstore protos for fulcio, or else be clearly documented so clients can mirror the fulcio behavior
Question The spec says
But the SAN values are constructed by fulcio in a way that does not show up in any of the protos:
The type of the SAN is from https://github.com/sigstore/fulcio/blob/b2186c01da1ddf807bde3ea8c450226d8e001d88/pkg/config/config.go#L182-L201
https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md otherwise describes the extensions, but doesn't include the SAN
And ultimately the principal comes from https://github.com/sigstore/fulcio/blob/e86540d3be25166b75abff38aa81fcb003f924b6/pkg/challenges/challenges.go#L55-L89, and is dependent on the token issuer!
If we want clients to validate the returned cert, this needs to either go into the sigstore protos for fulcio, or else be clearly documented so clients can mirror the fulcio behavior