Closed woodruffw closed 1 year ago
re: LogId
, I'm fine with removing OID because I don't think we'll move to CT 2.0 any time soon.
re: HashAlgorithm
, one issue is we've hardcoded support for SHA256 all over the place. I think it'd be reasonable to keep the enum for HashAlgorithm in case we want to add additional algorithms in the future, but removing 512 now would be fine I think.
Is SignatureAlgorithm
used anywhere currently? It doesn't seem like it, I think we can just delete the message.
Is
SignatureAlgorithm
used anywhere currently? It doesn't seem like it, I think we can just delete the message.
Not that I can see either 🙂 -- maybe there's somewhere that should have it that's currently missing, although the only place I can think of it being relevant is in the certificates themselves (and those are opaque DER blobs to the protobuf layer).
Opened #39 for this -- I left SignatureAlgorithm
in because I wasn't sure, but I addressed the other two.
The SignatureAlgorithm
is not used, so it can be removed. There was first a tuple <signature algorithm, key encoding> but it was flattened to a list of permutations to avoid scenarios where invalid combinations was used. It just seems that the SignatureAlgorithm
was not removed.
Will remove now!
30 is getting a little long, so I'm filing a separate issue to track some other potential changes to the current messages 🙂
LogId
Here's how
LogId
is currently defined:IMO, we probably don't want this agility: the message formats will probably have to change significantly anyways if and when Sigstore moves to CT 2.0, so we should probably limit
LogId
to just theSHA256(DER(pk))
format that CT 1.0 allows.HashAlgorithm
andSignatureAlgorithm
Here's how these are currently defined:
I might be wrong about this, but I believe we don't need SHA2-512 or RSA PSS: neither of these is mentioned in the CT RFCs. But it's possible these show up in certificates anyways; cc @haydentherapper for thoughts on these.