Proposal 88: Encapsulate runtime policies in DSSE-signed envelopes #89
Conversation
|
@SantiagoTorres would love for you to have a look 😄 |
mbestavros
force-pushed
the
ima-policy-envelope
branch
from
653a4bb
to
8c02c74
Compare
|
RE: dependencies. I did a quick check on the dependencies added for DSSE. Considering the use of cryptography is already widespread, there would be no additional dependencies other than the direct dependency on securesystemslib |
Thanks for this! I will update the proposal with that explicit dependency. |
|
@mbestavros has something changed in comparison to the current implementation? If not we should merge this PR. |
|
@THS-on I just had another read through - nothing material has changed, but there are lots of references to "IMA policies" and "allowlists" as was the typical language at the time of writing. I can edit those references out if desired. |
Signed-off-by: Mark Bestavros <[email protected]>
mbestavros
force-pushed
the
ima-policy-envelope
branch
from
8c02c74
to
4fe55f8
Compare
|
@THS-on I just rebased and updated the language to be "runtime policies". Should be ready to merge now. |
mbestavros
changed the title
This proposal introduces the idea of signing Keylime runtime policies using the standardized, upstream DSSE signed envelope format.
It supersedes and builds on the ideas from #79, by @lukehinds. That proposal focused on introducing attached signatures to Keylime runtime policies using a similar format to the in-toto project's attached signature format; however, in-toto (as well as other supply chain projects) appear to be standardizing on DSSE, and it would make sense for Keylime to follow suit when implementing attached signatures.
Mapped issue: #88
cc @lukehinds @mpeters @THS-on @SantiagoTorres
Signed-off-by: Mark Bestavros [email protected]