Open jku opened 1 month ago
related: #1347 -- we should change the incorrect KMS key id
I'd be supportive of reducing to a day, but we should try to get community input on this given it would increase the frequency of online queries during verification.
it would increase the frequency of online queries during verification
That's the thing:
if the clients operate as tuf spec requires
This is the issue, at least for the Go client, it allows for configuration that doesn't follow the spec. In Cosign, we would cache targets up to the timestamp validity and then refresh only once the timestamp as expired. In the new sigstore-go TUF client, the default behavior is to follow the TUF spec, but it can be configured. I'm not sure what other clients are doing.
Oh sorry, I re-read, you're saying to keep the timestamp validity the same but just up the frequency of signings. Gotcha, that seems good!
Though I think we should think about decreasing the timestamp validity as well, to let us handle key rotations faster.
decreasing the timestamp validity as well
I'm not sure about this, the main reason I suggest this change (signing more often) is to increase the time we would have to deal with failures -- current 4 days feels very, very tight to me:
This change is now live in root-signing-staging https://github.com/sigstore/root-signing-staging/pull/171
Assuming the migration in #1323 goes as planned, the timestamp expiry period in root v10 is 7 days and the signing period is 4 days meaning we sign a new timestamp every three days. We should consider signing timestamp more often (maybe daily?):