Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request For Comment: Removing support for detached SCTs #1499

Open
haydentherapper opened this issue Dec 20, 2023 · 5 comments
Open

Request For Comment: Removing support for detached SCTs #1499

haydentherapper opened this issue Dec 20, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@haydentherapper
Copy link
Contributor

haydentherapper commented Dec 20, 2023

Background

Certificate transparency background: RFC6962 supports the distribution of SCTs (log inclusion promises) in three ways: Embedded in a certificate, distributed alongside the certificate (detached), or as part of the TLS handshake.

There are almost no real-world webPKI examples of SCTs being distributed separately or in a TLS handshake from what I understand. Embedding has become the defacto approach. The only argument in support for detached SCTs could be to keep certificate size down while still recording a certificate in a log.

Originally, Fulcio only supported returning the SCT in a response header. Later, we added support for embedding the SCT in the certificate, solving the need to separately persist the promise. This has been running in production for a couple of years now.

Sigstore usage

I am aware of only one use case for Sigstore users to support detached SCTs, which is when using GCP CA Service to issue certificates. This is a limitation in the product: Since we cannot control serial numbers and issuance time, we cannot issue a precertificate and final certificate with the same values.

Clients

As more Sigstore clients are created, the focus is on the public instance, which only embeds SCTs. Furthermore, it would be unexpected for a private instance to configure Fulcio to not embed SCTs, as the default is to embed them, unless the private instance is using GCP CA Service.

Only Cosign and sigstore-java support detached SCTs currently, and in both cases, the detached SCTs are not persisted in either the OCI image annotations or Sigstore bundle (neither supports detached SCTs), meaning certificate inclusion is not verified by clients for the detached case.

Call to Action

This is a request for comment to remove support for detached SCTs from Fulcio. This will not break the API, only mark detached SCTs as deprecated. We will also remove the code to generate detached SCTs. GCP CA Service will no longer support generating SCTs until a product feature is added to control serial numbers and timestamps on issuance.

There should be no impact to clients, besides cleaning up unneeded code paths. There may be impact to private deployments.

Any concerns from clients? @loosebazooka @woodruffw @bdehamer @kommendorkapten @steiza

@haydentherapper haydentherapper added the enhancement New feature or request label Dec 20, 2023
@bdehamer
Copy link

This seems like a nice simplification, and I'm definitely in favor of that. This should have no impact on sigstore-js as it has never had support for detached SCTs.

One thing to note . . . we're running a private Fulcio instance w/ NO transparency log. In this mode, I noticed that the response from the create-signing-certificate API always uses the signedCertificateDetachedSct field in the response (despite the fact that there is no SCT). As the code is cleaned-up we'll want to make sure not to change this behavior so we don't break existing clients (/cc @codysoyland).

@loosebazooka
Copy link
Member

I already removed support for detached SCTs in Java (sigstore/sigstore-java#478) cause the logic was so annoying to deal with.

@kommendorkapten
Copy link
Member

Agree with this! This would also mean that we should deprecate this (unused flag): https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_verification.proto#L65

@woodruffw
Copy link
Member

woodruffw commented Dec 21, 2023

Strong support on my end! sigstore-python removed detached SCT verification a while back.

Edit: Whoops, spoke too soon -- the detached SCT handling code is still present, but I believe hasn't been exercised in a long time.

haydentherapper added a commit to haydentherapper/protobuf-specs that referenced this issue Jan 2, 2024
We do not plan to continue to support detached SCTs for Fulcio, and most
clients don't have support for detached SCT verification and the bundle
format does not include them.

Context: sigstore/fulcio#1499

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

@bdehamer Thanks for the heads up. I would not make any breaking changes to the API, so we'll still write responses to the detached SCT one-of message. I'll only mark the SCT field as deprecated.

haydentherapper added a commit to sigstore/protobuf-specs that referenced this issue Jan 2, 2024
* Deprecate support for detached SCTs

We do not plan to continue to support detached SCTs for Fulcio, and most
clients don't have support for detached SCT verification and the bundle
format does not include them.

Context: sigstore/fulcio#1499

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* make clean; make all

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

---------

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants