Open znewman01 opened 1 year ago
There are two possible changes here:
--certificate-chain
flag to something more descriptive (possibly keeping an alias from the old name for backwards compatibility)--cert-and-intermediates
and --root-pool
(names very much TBD). This would probably require a transition period.This means that it's no longer a 2.0 blocker.
Our APIs should also reflect this.
Something to learn from is how openssl implements this - You pass a set of trusted certificates (typically root certs) and "untrusted" certs used for chain building (typically intermediates). I'd avoid using "untrusted", but splitting up a chain makes sense. It also lets us easily pass sets of roots rather than a single root in a chain.
We also chatted about how Sigstore's TUF targets don't differentiate between trusted roots and chain building intermediates. This is something we should address.
It also lets us easily pass sets of roots rather than a single root in a chain.
being able to pass a set of roots (a bundle) would be very convenient! If there are no big "conceptual" hurdles / objections etc, I'd volunteer to help this happen.
Something to learn from is how openssl implements this - You pass a set of trusted certificates (typically root certs) and "untrusted" certs used for chain building (typically intermediates). I'd avoid using "untrusted", but splitting up a chain makes sense. It also lets us easily pass sets of roots rather than a single root in a chain.
could we split the --certificate-chain
into 1. --certificate-roots
- which could contain either the single CA root file, like the last part of the current certificate chain and 2. --certificate-intermediates
- optional parameter that would include the intermediate CA(s)? We can treat the current --certificate-chain
as if the last certificate where in the file passed to --certificate-root
, and the rest of the file - as content of the --certificate-intermediates
file.
See helpful context: https://github.com/sigstore/cosign/pull/2461#discussion_r1024644134_