-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal 88: Encapsulate runtime policies in DSSE-signed envelopes #89
Conversation
@SantiagoTorres would love for you to have a look 😄 |
653a4bb
to
8c02c74
Compare
RE: dependencies. I did a quick check on the dependencies added for DSSE. Considering the use of cryptography is already widespread, there would be no additional dependencies other than the direct dependency on securesystemslib |
Thanks for this! I will update the proposal with that explicit dependency. |
@mbestavros has something changed in comparison to the current implementation? If not we should merge this PR. |
@THS-on I just had another read through - nothing material has changed, but there are lots of references to "IMA policies" and "allowlists" as was the typical language at the time of writing. I can edit those references out if desired. |
Signed-off-by: Mark Bestavros <[email protected]>
8c02c74
to
4fe55f8
Compare
@THS-on I just rebased and updated the language to be "runtime policies". Should be ready to merge now. |
This proposal introduces the idea of signing Keylime runtime policies using the standardized, upstream DSSE signed envelope format.
It supersedes and builds on the ideas from #79, by @lukehinds. That proposal focused on introducing attached signatures to Keylime runtime policies using a similar format to the in-toto project's attached signature format; however, in-toto (as well as other supply chain projects) appear to be standardizing on DSSE, and it would make sense for Keylime to follow suit when implementing attached signatures.
Mapped issue: #88
cc @lukehinds @mpeters @THS-on @SantiagoTorres
Signed-off-by: Mark Bestavros [email protected]