Provide suggestions on how to distribute public keys used to sign attestations

[TomHennen]

We should include recommendations on how to convey the maximum SLSA level the keys are valid for.

For example:

• Publish on a website
• Some sort of PKI with an accreditation body signing certs with a different root cert for each SLSA level
• Sigstore integration
• ...

[TomHennen]

Another (maybe bad!) thought:

Let people register a builder id and public key by sending PRs to some GitHub repo.

[joshuagl]

Datadog do this for their in-toto links using TUF, see Secure Publication of Datadog Agent Integrations with TUF and in-toto. Cc @trishankatdatadog

I'd be happy to help document how to use TUF for this.

In fact, I think we could even provide some PoC code. @jku has been experimenting with a tool to store TUF metadata in a GitHub repository, then using GitHub Actions to generate the snapshot and timestamp metadat.

[trishankatdatadog]

This is where the sigstore root of trust might be helpful 🙂 @dlorenc @asraa

The idea, as Joshua suggested, is to use TUF to bootstrap trust for in-toto layouts (the functionaries of whom can then use, for example, SPIFFE/SPIRE for machine signing keys). Happy to help with this document, Joshua, if you get it started.

[TomHennen]

Oh I think some proposals would be great. Is the idea that everyone that wants to verify DSSE sigs would use in-toto to verify the roots?

[trishankatdatadog]

Oh I think some proposals would be great. Is the idea that everyone that wants to verify DSSE sigs would use in-toto to verify the roots?

No, we mean that people who want to verify in-toto links (whether using DSSE or not) will probably want to use TUF to verify the in-toto layouts and their associated public keys (not to mention the links and artifacts themselves, but that's a different story for another day) 🙂

[TomHennen]

Oh I see. With this issue I was hoping to find an approach that worked for all users of DSSE (whether in-toto links or not). 😄

[trishankatdatadog]

Hmm, then the title is not clear at all. You mean the more general https://github.com/in-toto/attestation?

[joshuagl]

Oh I think some proposals would be great. Is the idea that everyone that wants to verify DSSE sigs would use in-toto to verify the roots?

I was thinking more along the lines of using TUF PKI-like features to distribute and manage public keys. Admittedly, if you are not using any of the other features of TUF it could be considered overkill, but it's serves a dual purpose for me as I get to write about TUF and SLSA. :-)

[trishankatdatadog]

I was thinking more along the lines of using TUF PKI-like features to distribute and manage public keys. Admittedly, if you are not using any of the other features of TUF it could be considered overkill, but it's serves a dual purpose for me as I get to write about TUF and SLSA. :-)

We certainly can use TUF to verify in-toto attestations. However, what's not clear to me is whether we want a general way to cover arbitrary DSSE payloads... it still can work, but I'm just not clear about what we're trying to do here.

[TomHennen]

I would definitely like a way to cover arbitrary DSSE payloads.

[trishankatdatadog]

I would definitely like a way to cover arbitrary DSSE payloads.

It should work. @joshuagl, should we draft something up and send a PR?

[joshuagl]

I would definitely like a way to cover arbitrary DSSE payloads.

It should work. @joshuagl, should we draft something up and send a PR?

Absolutely, let's write something up (though I am AFK next week – let's catch up after?).

[trishankatdatadog]

@joshuagl let's get started on this?

[marcofranssen]

This is where the sigstore root of trust might be helpful 🙂 @dlorenc @asraa

The idea, as Joshua suggested, is to use TUF to bootstrap trust for in-toto layouts (the functionaries of whom can then use, for example, SPIFFE/SPIRE for machine signing keys). Happy to help with this document, Joshua, if you get it started.

Something that might be of interest is the following. I have made a small cli tool to authenticate Hashicorp Vault using Spiffe JWT. In the example folder you can find a Cosign example using the Hashicorp Vault transit engine. https://github.com/philips-labs/spiffe-vault @dlorenc @trishankatdatadog