Wishlist for higher SLSA levels

[joshuagl]

There have been a few suggestions over time of things to add in future as higher SLSA levels once the current requirements are well established. I wanted to create a space to jot down wish list items for those future higher SLSA levels.

Note: this is not to push for a higher level to be defined today, or even soon, but instead to start capturing items that may warrant a higher SLSA level

• Two person reviewed by two trusted persons who are not the uploader/submitter (current SLSA 4 requirement requires two trusted persons approve a change, one of whom may be the submitter).

[mattmoor]

Today SLSA doesn't touch on credential or key lifespan at all, but I think the exclusive use of extremely short-lived credentials (e.g. OIDC) and keys (e.g. Fulcio) might be a SLSA 5 thing.

[joshuagl]

@david-a-wheeler suggested verified reproducible builds in #5

[moshe-apiiro]

expand zero-trust notion over all steps, including originated geo-location, network, sources, users, providers.