Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the certificate issuing process #383

Merged
merged 1 commit into from Feb 4, 2022
Merged

Document the certificate issuing process #383

merged 1 commit into from Feb 4, 2022

Conversation

nsmith5
Copy link
Contributor

@nsmith5 nsmith5 commented Feb 3, 2022

Summary

Adds a basic overview of the certificate issuing process to our docs to help bring new collaborators up to speed. Its a little light on the certificate transparency and SCT stuff, but I think its a good starting point.

NB: The images all have the excalidraw source embedded in them so they can be changed / edited by anyone

Ticket Link

Relates to #373

Release Note

NONE

lukehinds
lukehinds reviewed Feb 3, 2022
View reviewed changes
Copy link
Member

@lukehinds lukehinds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this Nathan, very needed bit of work.

I made a few comments, but nothing major

regarding "docs/img/return-certificate.png", I wonder if instead of having "Google CA" we could put "CA Backend" or "interface", something to show its not fixed to Google, as we support other backends.

docs/how-certificate-issuing-works.md
Comment on lines +22 to +24
- A challenge. This challenge proves the client is in possession of the private
key that corresponds to the public key provided. The challenge created by
signing the subject portion of the OIDC ID token
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The challenge description reads correct, but is it stuffed into the cert now?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. Are you saying it reads like that or it doesn't read like that and it should to be accurate?

Copy link
Member

@lukehinds lukehinds Feb 3, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually reading it again, I missed the reference to "request", so I misread it as being in the certificate

"The certificate request contains three items:"

It might be confused with CSR (certificate signing request)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahhh right I see. Yeah I just meant the API request if that makes sense. I think I can clarify that

docs/how-certificate-issuing-works.md Outdated Show resolved Hide resolved
docs/how-certificate-issuing-works.md Show resolved Hide resolved
@lukehinds
Copy link
Member

cc @bobcallaway / @dlorenc for their input.

@nsmith5 nsmith5 force-pushed the docs/how-certificate-requests-work branch 3 times, most recently from 15ed6d0 to da8753d Compare February 3, 2022 16:51
@nsmith5
docs: overview of certificate issuing
921a3e5 
Add a highlevel document describing the certificate issuing process to
help new contributors understand how Fulcio works.

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
@nsmith5 nsmith5 force-pushed the docs/how-certificate-requests-work branch from da8753d to 921a3e5 Compare February 3, 2022 16:53
@nsmith5
Copy link
Contributor Author

nsmith5 commented Feb 3, 2022
edited

Rewrote the end and expanded on the certificate authority backend, ct log upload etc. I find it easiest to review the rendered content here https://github.com/nsmith5/fulcio/blob/docs/how-certificate-requests-work/docs/how-certificate-issuing-works.md

@dlorenc
Copy link
Member

dlorenc commented Feb 3, 2022

This looks good to me!

@dlorenc dlorenc merged commit 5c51127 into sigstore:main Feb 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukehinds lukehinds lukehinds left review comments

@dlorenc dlorenc dlorenc approved these changes

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nsmith5 @lukehinds @dlorenc