Open joshuagl opened 2 years ago
Today SLSA doesn't touch on credential or key lifespan at all, but I think the exclusive use of extremely short-lived credentials (e.g. OIDC) and keys (e.g. Fulcio) might be a SLSA 5 thing.
@david-a-wheeler suggested verified reproducible builds in #5
expand zero-trust notion over all steps, including originated geo-location, network, sources, users, providers.
There have been a few suggestions over time of things to add in future as higher SLSA levels once the current requirements are well established. I wanted to create a space to jot down wish list items for those future higher SLSA levels.
Note: this is not to push for a higher level to be defined today, or even soon, but instead to start capturing items that may warrant a higher SLSA level