From fd9902d984c9f78164e82089637fe7e2e0ead611 Mon Sep 17 00:00:00 2001 From: Tracy Miranda Date: Thu, 25 Jul 2024 15:26:09 -0400 Subject: [PATCH] Terminology fixes for clarity Signed-off-by: Tracy Miranda --- fulcio-spec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fulcio-spec.md b/fulcio-spec.md index f91e52e..30b8bbf 100644 --- a/fulcio-spec.md +++ b/fulcio-spec.md @@ -71,7 +71,7 @@ Note that Fulcio can be used with self-managed keys, as described in a [Sigstore ## 3. Issuance - Life of a Request -The client submits a certificate request to Fulcio. The certificate request MUST contain a certificate request described subsequently and OpenID Connect (OIDC) identity token. This is a signed JWT containing information about the principal (identity of the client), the issuer (who issued the identity token - Google, Microsoft, GitHub, etc.) and additional metadata such as expiration. The principal identity can either be a signing identity in the form of an email or username, or a workload identity. The certificate request MUST contain either: +The client submits a certificate request to Fulcio. The certificate request MUST contain a certificate request described subsequently and OpenID Connect (OIDC) identity token. This is a signed JWT containing information about the principal (identity of the signer), the issuer (who issued the identity token - Google, Microsoft, GitHub, etc.) and additional metadata such as expiration. The principal identity can either be a signing identity in the form of an email or username, or a workload identity. The certificate request MUST contain either: - A public key and signed challenge. This is the public portion of a cryptographic key pair generated by the client. The public key will be embedded in the issued X.509 certificate. The challenge proves the client is in possession of the private key that corresponds to the public key provided. The challenge SHOULD be created by signing the subject (`sub`) of the OIDC identity token. - A PKCS#10 ([RFC2986](https://www.rfc-editor.org/rfc/rfc2986)) certificate signing request (CSR), which also provides a proof of possession and the public key. The CSR subject MAY contain the subject of the OIDC ID token, but there is no mandate to do so, as Fulcio will not check that the subject of the CSR matches the subject of the token. @@ -84,7 +84,7 @@ Fulcio MUST authenticate the OIDC ID token. To authenticate, Fulcio MUST follow Fulcio does not support MAC-based authentication. -Once the client has been authenticated, Fulcio MUST verify the client is in possession of the private key of the public key they’ve submitted. Fulcio MUST verify the signed challenge or CSR. For a signed challenge, this MUST be a signature over the identity claim of the ID token, which SHOULD be the `sub` claim but MAY be a non-standard claim as Fulcio supports configuration of this claim. The challenge and CSR are verified using the provided public key. +Once the token has been authenticated, Fulcio MUST verify the client is in possession of the private key of the public key they’ve submitted. Fulcio MUST verify the signed challenge or CSR. For a signed challenge, this MUST be a signature over the identity claim of the ID token, which SHOULD be the `sub` claim but MAY be a non-standard claim as Fulcio supports configuration of this claim. The challenge and CSR are verified using the provided public key. Fulcio now creates and signs a code signing certificate for the identity from the ID token. Fulcio MUST: