Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TAP for TUF developer key management #141

Merged
merged 33 commits into from
Feb 7, 2023
Merged

TAP for TUF developer key management #141

merged 33 commits into from
Feb 7, 2023

Commits on Jul 27, 2021

  1. Add first draft of Fulcio TAP 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jul 27, 2021
    Configuration menu
    Copy the full SHA
    4b8ee68 View commit details
    Browse the repository at this point in the history

Commits on Aug 12, 2021

  1. [Fulcio TAP] Minor clarifications and corrections 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Aug 12, 2021
    Configuration menu
    Copy the full SHA
    7db2f6d View commit details
    Browse the repository at this point in the history

Commits on Aug 19, 2021

  1. [Fulcio TAP] Add links and clarifications 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Aug 19, 2021
    Configuration menu
    Copy the full SHA
    57f3476 View commit details
    Browse the repository at this point in the history

Commits on Aug 31, 2021

  1. Apply suggestions from code review 

    Co-authored-by: axel simon <github@axelsimon.net>
    @mnm678 @axelsimon
    mnm678 and axelsimon authored Aug 31, 2021
    Configuration menu
    Copy the full SHA
    a509f6d View commit details
    Browse the repository at this point in the history

  2. [Fulcio TAP] Generalize email to OIDC identity 

    Fulcio can use any OIDC identity. This changes the metadata format
to reflect this.

Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Aug 31, 2021
    Configuration menu
    Copy the full SHA
    5480134 View commit details
    Browse the repository at this point in the history

Commits on Sep 10, 2021

  1. Add explicit recomendation to use auditors for the TL 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Sep 10, 2021
    Configuration menu
    Copy the full SHA
    c31cc6d View commit details
    Browse the repository at this point in the history

  2. Add OIDC compromise to security analysis 

    Also clarify that auditors may use TAP 3 multi-role delegations

Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Sep 10, 2021
    Configuration menu
    Copy the full SHA
    07fc229 View commit details
    Browse the repository at this point in the history

Commits on Nov 29, 2021

  1. Clarify use of multi-role delegations 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 29, 2021
    Configuration menu
    Copy the full SHA
    22c70e7 View commit details
    Browse the repository at this point in the history

  2. Apply suggestions from code review 

    adds consistent capitalization and some clarifications

Co-authored-by: axel simon <git@axelsimon.net>
    @mnm678 @axelsimon
    mnm678 and axelsimon authored Nov 29, 2021
    Configuration menu
    Copy the full SHA
    5bbab5d View commit details
    Browse the repository at this point in the history

  3. capitalize shoulds and musts 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 29, 2021
    Configuration menu
    Copy the full SHA
    3f3a67a View commit details
    Browse the repository at this point in the history

Commits on Nov 30, 2021

  1. Update candidate-fulcio-tap.md 

    Co-authored-by: axel simon <git@axelsimon.net>
    @mnm678 @axelsimon
    mnm678 and axelsimon authored Nov 30, 2021
    Configuration menu
    Copy the full SHA
    1cb0ba6 View commit details
    Browse the repository at this point in the history

Commits on Dec 16, 2021

  1. [Fulcio TAP] Add link to augmented reference implementation 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Dec 16, 2021
    Configuration menu
    Copy the full SHA
    f6f9312 View commit details
    Browse the repository at this point in the history

Commits on Jan 10, 2022

  1. [fulcio TAP] clarify auditor signatures and revocation 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jan 10, 2022
    Configuration menu
    Copy the full SHA
    61f2cc9 View commit details
    Browse the repository at this point in the history

Commits on Mar 22, 2022

  1. Add clarifications about verification 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Mar 22, 2022
    Configuration menu
    Copy the full SHA
    e8e6111 View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2022

  1. Move Fulcio root cert to delegating metadata 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Mar 30, 2022
    Configuration menu
    Copy the full SHA
    c648977 View commit details
    Browse the repository at this point in the history

  2. Add detail about verifying with Rekor 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Mar 30, 2022
    Configuration menu
    Copy the full SHA
    cbf1e06 View commit details
    Browse the repository at this point in the history

  3. Apply suggestions from code review 

    Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
    @mnm678 @trishankatdatadog
    mnm678 and trishankatdatadog authored Mar 30, 2022
    Configuration menu
    Copy the full SHA
    cc4d9a4 View commit details
    Browse the repository at this point in the history

Commits on Apr 28, 2022

  1. client check SHOULD -> MAY 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Apr 28, 2022
    Configuration menu
    Copy the full SHA
    a680f56 View commit details
    Browse the repository at this point in the history

Commits on Jun 24, 2022

  1. Clarify when Fulcio certs should be valid 

    Signed-off-by: Marina Moore <marina@chainguard.dev>
    @mnm678
    mnm678 committed Jun 24, 2022
    Configuration menu
    Copy the full SHA
    eb50378 View commit details
    Browse the repository at this point in the history

Commits on Jul 26, 2022

  1. [Fulcio TAP] Remove Rekor requirement 

    If certificates are uploaded while they are valid, the Rekor check
is not needed. This commit also clarifies the tradeoffs for clients
deciding whether to check Rekor directly.

Signed-off-by: Marina Moore <marina@chainguard.dev>
    @mnm678
    mnm678 committed Jul 26, 2022
    Configuration menu
    Copy the full SHA
    4910aa0 View commit details
    Browse the repository at this point in the history

Commits on Jul 28, 2022

  1. [Fulcio TAP] Update Fulcio details from code review 

    Signed-off-by: Marina Moore <marina@chainguard.dev>
    @mnm678
    mnm678 committed Jul 28, 2022
    Configuration menu
    Copy the full SHA
    f8f252d View commit details
    Browse the repository at this point in the history

Commits on Nov 1, 2022

  1. Clarify fulcio certificates 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 1, 2022
    Configuration menu
    Copy the full SHA
    4975dc5 View commit details
    Browse the repository at this point in the history

Commits on Nov 3, 2022

  1. [Fulcio TAP] Simplify the explanation of signing and verifying 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 3, 2022
    Configuration menu
    Copy the full SHA
    9e8dbb3 View commit details
    Browse the repository at this point in the history

  2. [Fulcio TAP] Update signing and verification 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 3, 2022
    Configuration menu
    Copy the full SHA
    50564bd View commit details
    Browse the repository at this point in the history

Commits on Nov 4, 2022

  1. Apply suggestions from code review 

    Co-authored-by: asraa <asraa@google.com>
Signed-off-by: Marina Moore <mnm678@users.noreply.github.com>
    @mnm678 @asraa
    mnm678 and asraa authored Nov 4, 2022
    Configuration menu
    Copy the full SHA
    7b315fb View commit details
    Browse the repository at this point in the history

  2. Clarify use of single Fulcio instance 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 4, 2022
    Configuration menu
    Copy the full SHA
    ec67d7d View commit details
    Browse the repository at this point in the history

  3. add in the Fulcio CT log 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Nov 4, 2022
    Configuration menu
    Copy the full SHA
    9893ba1 View commit details
    Browse the repository at this point in the history

Commits on Jan 13, 2023

  1. Add link to threat model doc 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jan 13, 2023
    Configuration menu
    Copy the full SHA
    13c5266 View commit details
    Browse the repository at this point in the history

Commits on Jan 17, 2023

  1. [Fulcio TAP] minor clarifications 

    Highlight that existing Sigstore tooling should be used

Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    d7f086e View commit details
    Browse the repository at this point in the history

Commits on Jan 27, 2023

  1. formatting fixes and typos 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jan 27, 2023
    Configuration menu
    Copy the full SHA
    033e544 View commit details
    Browse the repository at this point in the history

  2. Clarifications from review 

    Especially this:
* generalized the "repository"
* generalized the "developer"
* fixes links

Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Jan 27, 2023
    Configuration menu
    Copy the full SHA
    8dda4e2 View commit details
    Browse the repository at this point in the history

Commits on Feb 2, 2023

  1. Apply suggestions from code review 

    Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Marina Moore <mnm678@users.noreply.github.com>
    @mnm678 @lukpueh
    mnm678 and lukpueh authored Feb 2, 2023
    Configuration menu
    Copy the full SHA
    98f5d0f View commit details
    Browse the repository at this point in the history

  2. clarifications based on code review 

    Signed-off-by: Marina Moore <mnm678@gmail.com>
    @mnm678
    mnm678 committed Feb 2, 2023
    Configuration menu
    Copy the full SHA
    8d60a51 View commit details
    Browse the repository at this point in the history