Closed haydentherapper closed 4 days ago
cc @woodruffw since we've talked about related things many times
+1 from me -- IMO type separation is good generally, and is best handled at the CA/issuance layer in this case rather than within individual clients.
Description
A user should not need to be aware of which "type" or
GeneralName
the subject is set in. Removing Type would simplify how a certificate identity is represented to be comprised of a subject and issuer only. This is also aligned with other Sigstore client implementations.A similar conversation occurred in Fulcio previously (https://github.com/sigstore/fulcio/issues/716#issuecomment-1204549133), and the threat of "type confusion" was mitigated through CA enforcement that URIs look like URIs and emails look like emails, rather than client enforcement.
Relevant code:
I'd like to discuss this, I'm fine if we ultimately decide there is value in keeping this, but with the goal of making breaking changes before a 1.0, wanted to raise this.