You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The protobuf representation for in-toto attestations isn't as portable as standards bodies like the IETF would like to depend on. RFC8610 defines a concise data description language that specifically has the intention of unifying JSON (RFC8259) and CBOR (RFC8949). Given that JSON is not as compact and bandwidth-friendly, I think we should expand the in-toto information model to have CBOR encoding and COSE_Sign1 (RFC9052) signing envelopes. This should be in line with ITE-5, just subject to a new content media type application/vnd.in-toto+cose for the signed attestation and application/vnd.in-toto+cbor for the unsigned attestation for example.
By incorporating CBOR, in-toto attestations can be more easily be included in CoRIM-based attestation verifiers like the Veraison project.
The biggest task is deciding on key indices for maps where previously there were textual names, though my recommendation is to assign from 0 in alphabetical order for the current version of the schema. I'm not sure if that assignment counts as needing an ITE or if an FR suffices.
The text was updated successfully, but these errors were encountered:
The protobuf representation for in-toto attestations isn't as portable as standards bodies like the IETF would like to depend on. RFC8610 defines a concise data description language that specifically has the intention of unifying JSON (RFC8259) and CBOR (RFC8949). Given that JSON is not as compact and bandwidth-friendly, I think we should expand the in-toto information model to have CBOR encoding and COSE_Sign1 (RFC9052) signing envelopes. This should be in line with ITE-5, just subject to a new content media type
application/vnd.in-toto+cose
for the signed attestation andapplication/vnd.in-toto+cbor
for the unsigned attestation for example.By incorporating CBOR, in-toto attestations can be more easily be included in CoRIM-based attestation verifiers like the Veraison project.
The biggest task is deciding on key indices for maps where previously there were textual names, though my recommendation is to assign from 0 in alphabetical order for the current version of the schema. I'm not sure if that assignment counts as needing an ITE or if an FR suffices.
The text was updated successfully, but these errors were encountered: