diff --git a/content/en/about/bundle.md b/content/en/about/bundle.md index b255473d..a973244f 100644 --- a/content/en/about/bundle.md +++ b/content/en/about/bundle.md @@ -18,10 +18,12 @@ is satisfied by the **Verification Material** and signature **Content**. ### Verification Material -This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. Bundles must include at least one transparency log's signed entry timestamp or an [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamp to provide proof of signing time. +This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. When using short lived Fulcio certificates where verification may occur after the certificate has expired, bundles must include at least one transparency log's signed entry timestamp or an [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamp to provide proof that signing occured during the ceritificates validity window. #### Key Material +##### X.509 certificate + A single X.509 leaf certificate conveying the signing key and containing [extensions](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) for identities consumed at verification time. This is the recommended `"verificationMaterial"` type for use with the public Sigstore infrastructure. @@ -34,10 +36,23 @@ for use with the public Sigstore infrastructure. } ``` +##### Public Key Identifier + +A hint to identify an (out of band) delivered key, to verify a signature. Like traditional PKI key distribution +the format of the hint must be agreed upon out of band by the signer and the verifiers. The key itself is not embedded in the Sigstore bundle. + +```json +"verificationMaterial": { + "publicKeyIdentifier": { + "hint": "" + } +} +``` + #### Transparency Log Entries One or more transparency logs entries to provide proof of inclusion in a public log and optionally a timestamp to -validate signing occurred at a valid point in time. +validate signing occurred during ceritificate validity. ```json "verificationMaterial": { @@ -76,7 +91,7 @@ validate signing occurred at a valid point in time. #### Timestamp -Zero or more [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamps to validate signing occurred at a valid point in time +Zero or more [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamps to validate signing occurred during ceritificate validity. ```json "verificationMaterial": {