It seems like something we should enable to provide relying parties high quality and granular information about the veraison instance they are accepting results from.
The produced attestation could be added (or linked by) the .well-known/veraison API and/or to the produced EAR in the verifier-id object.
All of this should be associated with some kind of release process that, at the moment, we don't have. The closest we have though is the monthly tag, so I suggest we piggy-back on that G-H action to build and publish the services containers and create the associated attestations.
G-H artifact attestation is now in public beta.
It seems like something we should enable to provide relying parties high quality and granular information about the veraison instance they are accepting results from.
The produced attestation could be added (or linked by) the
.well-known/veraisonAPI and/or to the produced EAR in theverifier-idobject.All of this should be associated with some kind of release process that, at the moment, we don't have. The closest we have though is the monthly tag, so I suggest we piggy-back on that G-H action to build and publish the services containers and create the associated attestations.