Comments (10)
https://datatracker.ietf.org/doc/html/rfc3628#section-7.2 and https://datatracker.ietf.org/doc/html/rfc3628#section-7.4 are the main sections on policy that I'm not sure we can conform to in a cloud environment. MS or Apple might have a better TSA policy that's more up to date with modern deployment.
from timestamp-authority.
A few more links I had recorded at some point:
- https://datatracker.ietf.org/doc/html/rfc5816 - Updates for certificate inclusion to 3161
- Use of RFC 3628's policy ID - https://cs.github.com/?scopeName=All+repos&scope=&q=%220.4.0.19422.1.1%22
- Policy requirements as per EU - https://www.etsi.org/deliver/etsi_en/319400_319499/319422/01.01.00_30/en_319422v010100v.pdf
- More policy requirements - https://www.etsi.org/deliver/etsi_en/319400_319499/319421/01.01.01_60/en_319421v010101p.pdf
from timestamp-authority.
Yea, if the rest of RFC 3628 is relevant, we could just copy it into a document and update the section on key storage.
from timestamp-authority.
This GitHub repo would be best! Architecture docs might be a good final home, but we haven't checked anything into that yet. docs is just for the website currently.
from timestamp-authority.
Github won't let me assign myself to the issue yet but I can start taking a look at this.
from timestamp-authority.
After reading through https://datatracker.ietf.org/doc/html/rfc3628 and specifically sections 7.2 and 7.4 noted above, I don't believe we can conform to in a cloud environment. These sections discuss the generation of keys in a physically secure location and securing/limiting the access to the facilities that host the keys and TSA hardware, see section 7.4.4.
Apple has a timestamp sub-CA certification practice statement. Section 3.2.1 covers private key storage and specifies that the private key must be stored in a HSM validated at a minimum level of FIPS 140-2 Level 3. GCP offers a cloud-based HSM service that fulfills the same FIPS requirement.
However the statement also discusses physical security in section 5.5. This section includes defining "security perimeters with appropriate physical barriers to entry around the business premises and Timestamp Sub-CA facilities". Because we are using a cloud environment, this is not something we can enforce ourselves.
from timestamp-authority.
I'll look into whether MS has a more modern one as well but we may want to consider writing our own.
from timestamp-authority.
@haydentherapper reading through https://www.etsi.org/deliver/etsi_en/319400_319499/319421/01.01.01_60/en_319421v010101p.pdf, it looks like the private key generation section states the generation must be carried out in a secure environment, similar to RFC 3161.
What do you think of creating a policy that just updates the "private key generation" and "physical and environmental security" sections of either RFC 3161 or RFC 5816 to work with cloud environment?
I'll keep looking through more policies in the meantime.
from timestamp-authority.
Where do we want to store the finalized specifications doc? In this repository as a markdown file? I noticed the https://github.com/sigstore/architecture-docs and https://github.com/sigstore/docs repositories as well.
from timestamp-authority.
Update OID here: https://github.com/sigstore/timestamp-authority/blob/main/pkg/api/timestamp.go#L40
from timestamp-authority.
Related Issues (20)
- Implement a mock client HOT 4
- Implement a mock NTP client for testing.
- Add http2 support HOT 1
- Default to NTP monitoring being on HOT 4
- [Docs] Update the policy with respect to timing accuracy HOT 1
- Provide the timestamp value from a “verify timestamp” API HOT 1
- broken `--cert-chain` command line argument HOT 2
- Adding malancas as maintainer HOT 3
- Reject requests that uses SHA-1. HOT 2
- Add support for JSON format requests
- TSA policy includes "dead" references.
- Integrate project into oss-fuzz HOT 1
- Signer hardcodes use of SHA-256 HOT 1
- Deploying Timestamp authority in Airgap mode HOT 9
- add an HTTP health check endpoint (mTLS exempted) HOT 4
- improve and expand documentation on using secrets/certs in KMS for timestamp-server HOT 2
- Check no generated files will change as a result of the change
- enable automated rotation of TSA certificates HOT 1
- Go Sum Database Mismatch for version `v1.2.1` HOT 4
- Provide option to read intermediates from timestamp struct
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from timestamp-authority.