Skip to content

Commit

Permalink
Terminology fixes for clarity
Browse files Browse the repository at this point in the history
Signed-off-by: Tracy Miranda <[email protected]>
  • Loading branch information
tracymiranda authored Jul 25, 2024
1 parent a01640d commit fd9902d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions fulcio-spec.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ Note that Fulcio can be used with self-managed keys, as described in a [Sigstore

## 3. Issuance - Life of a Request

The client submits a certificate request to Fulcio. The certificate request MUST contain a certificate request described subsequently and OpenID Connect (OIDC) identity token. This is a signed JWT containing information about the principal (identity of the client), the issuer (who issued the identity token - Google, Microsoft, GitHub, etc.) and additional metadata such as expiration. The principal identity can either be a signing identity in the form of an email or username, or a workload identity. The certificate request MUST contain either:
The client submits a certificate request to Fulcio. The certificate request MUST contain a certificate request described subsequently and OpenID Connect (OIDC) identity token. This is a signed JWT containing information about the principal (identity of the signer), the issuer (who issued the identity token - Google, Microsoft, GitHub, etc.) and additional metadata such as expiration. The principal identity can either be a signing identity in the form of an email or username, or a workload identity. The certificate request MUST contain either:

- A public key and signed challenge. This is the public portion of a cryptographic key pair generated by the client. The public key will be embedded in the issued X.509 certificate. The challenge proves the client is in possession of the private key that corresponds to the public key provided. The challenge SHOULD be created by signing the subject (`sub`) of the OIDC identity token.
- A PKCS#10 ([RFC2986](https://www.rfc-editor.org/rfc/rfc2986)) certificate signing request (CSR), which also provides a proof of possession and the public key. The CSR subject MAY contain the subject of the OIDC ID token, but there is no mandate to do so, as Fulcio will not check that the subject of the CSR matches the subject of the token.
Expand All @@ -84,7 +84,7 @@ Fulcio MUST authenticate the OIDC ID token. To authenticate, Fulcio MUST follow

Fulcio does not support MAC-based authentication.

Once the client has been authenticated, Fulcio MUST verify the client is in possession of the private key of the public key they’ve submitted. Fulcio MUST verify the signed challenge or CSR. For a signed challenge, this MUST be a signature over the identity claim of the ID token, which SHOULD be the `sub` claim but MAY be a non-standard claim as Fulcio supports configuration of this claim. The challenge and CSR are verified using the provided public key.
Once the token has been authenticated, Fulcio MUST verify the client is in possession of the private key of the public key they’ve submitted. Fulcio MUST verify the signed challenge or CSR. For a signed challenge, this MUST be a signature over the identity claim of the ID token, which SHOULD be the `sub` claim but MAY be a non-standard claim as Fulcio supports configuration of this claim. The challenge and CSR are verified using the provided public key.

Fulcio now creates and signs a code signing certificate for the identity from the ID token. Fulcio MUST:

Expand Down

0 comments on commit fd9902d

Please sign in to comment.