Comments (2)
bernhardreiter
commented on June 20, 2024
Rationale
Not using WKD or public pubkey servers is making the implementation more reliable and simpler for provider and client implementors.
WKD would require an email address and public pubkeyservers often do not provide additional data to verify the pubkey.
from csaf_distribution.
bernhardreiter
commented on June 20, 2024
changes towards csd02
The standard document has meanwhile changed to be more explicit about this:
The public part of the OpenPGP key used to sign the CSAF documents MUST be available. It SHOULD also be available at a public key server.
For example, the public part of the OpenPGP key could be placed in a directory openpgp adjacent to the provider-metadata.json.
"public_openpgp_keys": [
{
"fingerprint": "8F5F267907B2C4559DB360DB2294BA7D2B2298B1",
"url": "https://keys.example.net/vks/v1/by-fingerprint/8F5F267907B2C4559DB360DB2294BA7D2B2298B1"
}
],technical approach
- We can use the long fingerprint as filename in the
openpgpdirectory. - The csaf_provider can use the
createstep to copy over the current public key in the directory, if it is not in there. Previous pubkeys stay in there. - The aggregator will copy all pubkeys in mirror mode and add its own pubkey if it does additional signatures.
- The
provider-metadata.jsonshall list all pubkeys in that directory.
from csaf_distribution.
Related Issues (20)
- Support legacy location at root for /security.txt HOT 6
- `csaf_checker` fails on nozominetworks.com HOT 2
- Improve GH Action checks HOT 1
- Consuming CSAF model from go v1.20 projects HOT 8
- `csaf_downloader` subfolder option not correct HOT 1
- Release 3.0.0 or 3.0.0-rc.2 HOT 1
- Time filtered advisory downloads should use the update instead of the publish date. HOT 2
- Print provider-metadata.json files per domain HOT 3
- Improve SHA* requests for downloader HOT 3
- CSAF checker: mixing domains, failing validations HOT 12
- Increase coverage to 75% HOT 6
- Make reuse conform
- Clarify if old sigs with expired keys can be okay
- changes.csv: check quoting HOT 2
- Change License to Apache 2.0 HOT 4
- Proposal: Extracting code from `main` packages into `server` and `client` packages
- Licensing of generated files HOT 2
- Improve logging for `csaf_aggregator` when no config file is present HOT 1
- Complete transition to structured logging for aggregator
- Some error messages from loading `provider-metadata.json` are dropped HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csaf_distribution.