Open laurentsimon opened 1 year ago
We can do this. It requires regenerating some of the older testcases that didn't have SCT's added by default.
I think we're talking about 2 different things and both have value :)
Correct?
Oops, we are, I read this too fast :)
When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT
So this is ensuring the cert connection to TUF verifies the SCT?
Yes. I'm realizing this may not be strictly necessary for verification, since TUF does not need TLS. Maybe better suited for the generator during OIDC <-> cert with Fulcio; it would ensure someone else cannot get the OIDC token. (I have another tracking issue in the other repo)
let's also add a comment in the code that CT is verified for leaf certs, as per https://github.com/sigstore/cosign/blob/5d2964c3d7cb33dada6e945aac2c80008780475d/pkg/cosign/verify.go#L237
We should try to turn on this option if possible, stapling or anything the server supports.