-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define Bundle Verification Result #66
Comments
+1 @vaikas, any other things useful or interesting? My own thoughts about the error struct:
But +1 on defining step related verification results - I image the message contains info like "the ith tlog entry was unable to verify" We can always extend for the surfaced info when there is a success. Maybe we do something like this:
|
One concern for this is that if the verification result with parsed extensions gets persisted and later used for verification, it's susceptible to compromise/mutation. Can we be very clear that the verification result is meant to only be used at the time of verification? +1 on having error classes. One small question is do we want to distinguish between whether a key was used vs a certificate? Or is it sufficient to derive that from what was provided for verification? |
I would find it surprising that people would persist this and use it in an untrusted process. But yeah, I agree, it shouldn't be passed to other processes.
Another way to put it is that some VerificationSteps may only be relevant for some inputs (like a key being used will never trigger a If we add verification output, then I image that the certificate OID extensions would be in an optional field that is only present when the input was a cert. |
Big +1 on the error classes -- much more expressive than my initial proposal.
Maybe the OID extensions become an optional field in |
No :D because no one should use it. But actually I'm just kidding: I believe ArtifactVerificationProperties did have properties on identity / extension stuff? If so, maybe you fail on policy but have a cryptographically valid sig. In which case the error class that describes cert invalidity can have an error that allows describing expected/retrieved extensions. I'd say that's somewhat different than a sig verification error, and more of a policy error? |
Correct, and that is an important info to be returned back to the client too. |
FWIW, we currently do a similar thing in So I'm a big fan of more formally enumerating the error states here 🙂 |
Inspiration from the sigstore-go client: https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/signed_entity.go#L156 |
We already have message types defined that describe the inputs to the verification process (
Bundle
,TrustedRoot
,ArtifactVerificationOptions
) so it seems reasonable to also define a standardized verification response. This will give clients a standard way to convey more specific verification errors (and make it easier to compare the verification results across the different client implementations).I'm not married to this particular design, but offering it as a starting point for refinement:
If we go with this idea of having some sort of enum to identity the specific verification step which failed we could go even more granular (e.g.
CERTIFICATE_CHAIN_SCT
,TRANSPARENCY_LOG_INCLUSION_PROOF
, etc) . . . not clear to me what the most useful level of detail is gonna be.Another thing which occurs to me is that it might be helpful for the
VerificationResult
to surface the Fulcio certificate extensions (in the case where the verification is successful). The extensions are probably the next things any client is gonna read after verifying the bundle and this could save them the trouble of fishing them out of the certificate.CC @kommendorkapten @asraa
The text was updated successfully, but these errors were encountered: