Architecture docs

[nsmith5]

Description

It takes a really long time to get started with Fulcio development because of the lack of architecture docs. The reader needs to spin everything up and look the the code to get the gist of how things work. I think we can make this much better with basic architecture docs including

• Detailed explanation of how a certificate request works from start to finish
• Flow diagram of OIDC authentication
• Clear diagrams and explanation of upstream and downstream dependencies
  • Explain how the rest of sigstore relies on Fulcio
  • Explain how Fulcio relies on a certificate transparency log and certificate authority

[lukehinds]

Agree, I would add a nice flow diagram of OIDC as well.

[nsmith5]

I've got a very detailed description of the certificate request lifecycle in this doc I can repurpose for the "how a certificate request works" part of this https://docs.google.com/document/d/1PKAou7wEmEob4VOLq6rFlx5maOM5hkJ3XffZizfwdFw/edit

The original doc was to discuss a proposal for #275 but I think the background information in it is probably worth adding in its own right

[endorama]

I've been looking at OICD authentication flow is it correct the one to document is the Basic/Authentication flow?

Am I correct saying that IDP redirects to fulcio, which then uses the ID token as issuer for the sign certificate? Or fulcio is not involved with authentication and just receives an ID token that validates with IDP?

[haydentherapper]

Work is complete