Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR or ITE? CDDL definition for JSON/CBOR plus bindings in Go/Python #361

Open
deeglaze opened this issue May 30, 2024 · 0 comments
Open
Labels

Comments

@deeglaze
Copy link

The protobuf representation for in-toto attestations isn't as portable as standards bodies like the IETF would like to depend on. RFC8610 defines a concise data description language that specifically has the intention of unifying JSON (RFC8259) and CBOR (RFC8949). Given that JSON is not as compact and bandwidth-friendly, I think we should expand the in-toto information model to have CBOR encoding and COSE_Sign1 (RFC9052) signing envelopes. This should be in line with ITE-5, just subject to a new content media type application/vnd.in-toto+cose for the signed attestation and application/vnd.in-toto+cbor for the unsigned attestation for example.

By incorporating CBOR, in-toto attestations can be more easily be included in CoRIM-based attestation verifiers like the Veraison project.

The biggest task is deciding on key indices for maps where previously there were textual names, though my recommendation is to assign from 0 in alphabetical order for the current version of the schema. I'm not sure if that assignment counts as needing an ITE or if an FR suffices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants