[public deployment spec] Flesh out timestamp authority section #34
Description
We are going to remove timestamp authorities from the trust root.
We should significantly flesh this section out since it's not well discussed anywhere. This could have its own top level header, "Verifying short-lived certificates" and discuss sources of time (signed timestamps from TSAs or from Rekor) and the threat model of trusting each (distributed trust vs trusting Rekor)
Again, something to be changed in v2, separately out the timestamping portion from rekor.
Originally posted by @haydentherapper in #23 (comment)