> During the pre-PEP discussion, there was a question of whether offline verification was supported by Sigstore. Using a Sigstore bundle (.sigstore) file, Sigstore clients support verifying the artifact completely offline.
> Using offline verification with Sigstore requires disabling root of trust updates and “pinning” a root of trust in a file to use during verification.
> [...]
> Offline verification also makes revocation checks impossible, but this is similar to PGP’s model where revocation of keys requires an online lookup.
How does this compare to CRL and OCSP for key revocation?
Fairly certain this just reinvents the wheel with less years of review
Synchronizing CT Certificate Transparency logs to browsers is apparently considered infeasible. Merkle Certificates may help with this too?
westurner•1mo ago
I am aware of gpg.fail; https://news.ycombinator.com/item?id=46403200
Have they yet eliminated the single points of failure from Sigstore (i.e. the centralized database)?
westurner•1mo ago
> During the pre-PEP discussion, there was a question of whether offline verification was supported by Sigstore. Using a Sigstore bundle (.sigstore) file, Sigstore clients support verifying the artifact completely offline.
> Using offline verification with Sigstore requires disabling root of trust updates and “pinning” a root of trust in a file to use during verification.
> [...]
> Offline verification also makes revocation checks impossible, but this is similar to PGP’s model where revocation of keys requires an online lookup.
How does this compare to CRL and OCSP for key revocation?
Fairly certain this just reinvents the wheel with less years of review
Synchronizing CT Certificate Transparency logs to browsers is apparently considered infeasible. Merkle Certificates may help with this too?