Open haydentherapper opened 2 months ago
I could be misunderstanding but I think each of these instances are different from each other and necessary:
Verify()
-> VerifyLeafCertificate()
(link) - aggregates SETs and TSAs and verifies them against the fulcio CA
Verify()
-> VerifyObserverTimestamps()
-> VerifyTimestampAuthority()
-> verifySignedTimestamp()
(link) - verifies each timestamp, if any, against the bundle certificates. The signed entity doesn't always have a timestamps issued by a TSA. I think the comment here is mistaken.
Verify()
-> VerifyTransparencyLogInclusion()
-> VerifyArtifactTransparencyLog()
(link) - verifies the tlog entry time against the bundle certificates
@haydentherapper do you still think these are superfluous?
Description
There are three places we compare certificates against SET or TSA timestamps:
As noted in a comment, the latter two are unnecessary, and so should be removed.