MarkLodato
commented
3 years ago We now have an explicit "Authenticated" row as of #55. Next step is to further explain how the PKI will work in practice.
Open david-a-wheeler opened 3 years ago
MarkLodato
commented
3 years ago We now have an explicit "Authenticated" row as of #55. Next step is to further explain how the PKI will work in practice.
I don't see digital signature verification.
Was that what was intended by "Provenance chain"? It's not clear. I think "Provenance chain" needs clarification so that people will know what is an acceptable way to achieve this. For example, it should be clear whether or not "provenance chain" requires verification of digital signatures. More generally, it should be clear if digital signatures are expected somewhere or not.
As you well know there are many problems today in verifying digital signatures, so I understand if you don't want to require them today. That said, I think at least referring to sigstore in the "related work" section would be a good idea.