Bug#1085855: ITP: timestamp-authority -- RFC3161 Timestamp Authority

To: submit@bugs.debian.org
Subject: Bug#1085855: ITP: timestamp-authority -- RFC3161 Timestamp Authority
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 23 Oct 2024 01:06:11 +0200
Message-id: <[🔎] 87zfmvviu4.fsf@kaka.sjd.se>
Reply-to: Simon Josefsson <simon@josefsson.org>, 1085855@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <simon@josefsson.org>

* Package name    : timestamp-authority
  Version         : 1.2.3-1
  Upstream Author : sigstore
* URL             : https://github.com/sigstore/timestamp-authority
* License         : Apache-2.0
  Programming Lang: Go
  Description     : RFC3161 Timestamp Authority

 Sigstore Timestamp Authority
 .
 A service for issuing RFC 3161 timestamps
 (https://datatracker.ietf.org/doc/html/rfc3161).
 .
 Timestamps conform to the RFC 3628 policy
 (https://datatracker.ietf.org/doc/html/rfc3628). The timestamp structure
 conforms to the updates in RFC 5816
 (https://datatracker.ietf.org/doc/rfc5816).
 .
 Security model
 .
 Trusted timestamping
 (https://en.wikipedia.org/wiki/Trusted_timestamping) is a process that
 has been around for some time. It provides a timestamp record of when a
 document was created or modified.
 .
 A timestamp authority creates signed timestamps using public key
 infrastructure. The operator of the timestamp authority must secure the
 signing key material to prevent unauthorized timestamp signing.
 .
 A timestamp authority should also verify its own clock. We provide a
 configuration to periodically check the current time against well-known
 NTP sources.
 .
 Timestamping within Sigstore
 .
 Timestamps are a critical component of Rekor
 (https://github.com/sigstore/rekor), Sigstore's signature transparency
 log. Timestamps are used to verify short-lived certificates. Currently,
 the timestamp comes from Rekor's own internal clock, which is not
 externally verifiable or immutable. Using signed timestamps issued from
 timestamp authorities mitigates the risk of Rekor's clock being
 manipulated.
 .
 As a artifact signer, you can:
 .
  * Generate a signature over an artifact
  * Fetch a timestamp for that signature (more below in What to sign)
  * Upload the signature, artifact hash, and certificate to Rekor
    (hashedrekord record type)
  * Upload the timestamp to Rekor (rfc3161 record type)
        * This step is important because it makes the timestamps publicly
        auditable

I hope to maintain this package as part of Debian Go Packaging Team:

https://salsa.debian.org/go-team/packages/timestamp-authority

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#1085854: ITP: sigstore-go -- Go library for Sigstore signing and verification
Next by Date: Bug#1085856: ITP: golang-github-in-toto-attestation -- in-toto Attestation Framework
Previous by thread: Bug#1085854: ITP: sigstore-go -- Go library for Sigstore signing and verification
Next by thread: Bug#1085856: ITP: golang-github-in-toto-attestation -- in-toto Attestation Framework
Index(es):
- Date
- Thread