haydentherapper
commented
1 month ago One comment from the linked thread on rekor is that it is possible to have a freeze attack against local metadata up to the expiration of the timestamp. This would delay fetching the latest trust root and could result in an entry being ignored. We could add a configuration to always fetch the latest TUF metadata regardless of timestamp if this is a concern based on the users threat model.
Description
Rekor accepts certificates from any issuer, including self-signed certificates. A malicious entity or spammer could issue certificates using someone's identity and OIDC issuer to trigger an alert for a monitor. This can be mitigated by verifying the certificate chains up to a trusted root. For the public instance, the monitor can pull in the trusted PKI from Sigstore's TUF repo.
This should be configurable, since this may be used for self-hosted instances.