Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify what is interpretted as trust anchor for chain #245

Merged
merged 1 commit into from
Mar 6, 2024
Merged

Clarify what is interpretted as trust anchor for chain #245

merged 1 commit into from
Mar 6, 2024

Conversation

haydentherapper
Copy link
Collaborator

This standardizes client behavior on considering the last certificate in the chain as a trust anchor, regardless if it's a root or intermediate. This means clients should use all preceding CA certificates as chain-builders or intermediates.

We do document the case where an intermediate may be issued from multiple roots, specifying that multiple chains should be provided. Another solution for a later PR could be to provide two pools, trusted and untrusted, as an alternative to chains.

Summary

Release Note

Documentation

@haydentherapper
Copy link
Collaborator Author

haydentherapper commented Mar 5, 2024
edited
Loading

@woodruffw jsut to check, is it expected that gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin is updated?

@haydentherapper haydentherapper requested review from woodruffw and kommendorkapten and removed request for woodruffw March 5, 2024 19:32
kommendorkapten
kommendorkapten previously approved these changes Mar 6, 2024
View reviewed changes
Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@haydentherapper
Clarify what is interpretted as trust anchor for chain
081f498 
This standardizes client behavior on considering the last certificate in
the chain as a trust anchor, regardless if it's a root or intermediate.
This means clients should use all preceding CA certificates as
chain-builders or intermediates.

We do document the case where an intermediate may be issued from
multiple roots, specifying that multiple chains should be provided.
Another solution for a later PR could be to provide two pools, trusted
and untrusted, as an alternative to chains.

Signed-off-by: Hayden Blauzvern <[email protected]>
@haydentherapper
Copy link
Collaborator Author

Rebased

@woodruffw
Copy link
Member

is it expected that gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin is updated?

I believe so, but CCing @tnytown to confirm 🙂

woodruffw
woodruffw approved these changes Mar 6, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tnytown
Copy link
Contributor

tnytown commented Mar 6, 2024

is it expected that gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin is updated?

it's data for protobuf reflection so it wouldn't surprise me if it encapsulated these doc changes. we don't use reflective features so it shouldn't matter if this change is included or not :)

@haydentherapper haydentherapper merged commit 49f0435 into sigstore:main Mar 6, 2024
25 checks passed
@haydentherapper haydentherapper mentioned this pull request Mar 6, 2024
Closed
@woodruffw woodruffw mentioned this pull request Mar 6, 2024
Open
@haydentherapper haydentherapper deleted the clarify-chain branch April 1, 2024 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@kommendorkapten kommendorkapten kommendorkapten left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@haydentherapper @woodruffw @tnytown @kommendorkapten