jku
commented
1 month ago related: #1347 -- we should change the incorrect KMS key id
Open jku opened 1 month ago
jku
commented
1 month ago related: #1347 -- we should change the incorrect KMS key id
haydentherapper
commented
1 month ago I'd be supportive of reducing to a day, but we should try to get community input on this given it would increase the frequency of online queries during verification.
jku
commented
1 month ago it would increase the frequency of online queries during verification
That's the thing:
haydentherapper
commented
1 month ago if the clients operate as tuf spec requires
This is the issue, at least for the Go client, it allows for configuration that doesn't follow the spec. In Cosign, we would cache targets up to the timestamp validity and then refresh only once the timestamp as expired. In the new sigstore-go TUF client, the default behavior is to follow the TUF spec, but it can be configured. I'm not sure what other clients are doing.
haydentherapper
commented
1 month ago Oh sorry, I re-read, you're saying to keep the timestamp validity the same but just up the frequency of signings. Gotcha, that seems good!
Though I think we should think about decreasing the timestamp validity as well, to let us handle key rotations faster.
jku
commented
1 month ago decreasing the timestamp validity as well
I'm not sure about this, the main reason I suggest this change (signing more often) is to increase the time we would have to deal with failures -- current 4 days feels very, very tight to me:
jku
commented
1 month ago This change is now live in root-signing-staging https://github.com/sigstore/root-signing-staging/pull/171
Assuming the migration in #1323 goes as planned, the timestamp expiry period in root v10 is 7 days and the signing period is 4 days meaning we sign a new timestamp every three days. We should consider signing timestamp more often (maybe daily?):