up

docs/security/trust-and-signing.md

@@ -0,0 +1,33 @@
+# Trust and Signing (DOCS-AIRGAP-58-002)
+
+Guidance on DSSE/TUF roots, rotation, and signed time tokens.
+
+## Trust roots
+- Maintain offline root keys for DSSE/TUF; store in HSM or sealed vault.
+- Distribute intermediate/leaf keys via bootstrap packs with fingerprints.
+- Keep trust roots versioned; record `rootVersion` and validity period.
+
+## DSSE
+- Use DSSE for bundle manifests (mirror/bootstrap) and evidence timelines when possible.
+- Verification in sealed mode uses bundled roots; no online Rekor needed.
+- Rotate signing keys with overlapping validity; publish new root in next bundle.
+
+## TUF (optional)
+- If using TUF metadata, ship `root.json`, `snapshot.json`, `timestamp.json` with bundles.
+- In sealed mode, trust only bundled metadata; no remote refresh.
+
+## Signed time tokens
+- Export signed time anchors (see `docs/airgap/staleness-and-time.md`):
+  - Token fields: `issuedAt`, `notAfter`, `timeSource`, `signature`, `rootVersion`.
+  - Validate offline against trust roots; expire strictly at `notAfter`.
+
+## Rotation procedure
+1. Prepare new root and leaf keys; sign new root with current root.
+2. Include new `root.json` and fingerprints in next mirror/bootstrap bundle.
+3. During import, verify both current and new root; switch default after verification.
+4. Re-sign manifests/time tokens with new leaf.
+
+## Security notes
+- Never fetch keys online in sealed mode.
+- Keep audit log of rotations (who, when, rootVersion, fingerprints).
+- Enforce least privilege for signing service accounts.