150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
# Trust and Signing (DOCS-AIRGAP-58-002)
|
|
|
|
Guidance on DSSE/TUF roots, rotation, and signed time tokens.
|
|
|
|
## Trust roots
|
|
- Maintain offline root keys for DSSE/TUF; store in HSM or sealed vault.
|
|
- Distribute intermediate/leaf keys via bootstrap packs with fingerprints.
|
|
- Keep trust roots versioned; record `rootVersion` and validity period.
|
|
|
|
## DSSE
|
|
- Use DSSE for bundle manifests (mirror/bootstrap) and evidence timelines when possible.
|
|
- Verification in sealed mode uses bundled roots; no online Rekor needed.
|
|
- Rotate signing keys with overlapping validity; publish new root in next bundle.
|
|
|
|
## TUF (optional)
|
|
- If using TUF metadata, ship `root.json`, `snapshot.json`, `timestamp.json` with bundles.
|
|
- In sealed mode, trust only bundled metadata; no remote refresh.
|
|
|
|
## Signed time tokens
|
|
- Export signed time anchors (see `docs/airgap/staleness-and-time.md`):
|
|
- Token fields: `issuedAt`, `notAfter`, `timeSource`, `signature`, `rootVersion`.
|
|
- Validate offline against trust roots; expire strictly at `notAfter`.
|
|
|
|
## Rotation procedure
|
|
1. Prepare new root and leaf keys; sign new root with current root.
|
|
2. Include new `root.json` and fingerprints in next mirror/bootstrap bundle.
|
|
3. During import, verify both current and new root; switch default after verification.
|
|
4. Re-sign manifests/time tokens with new leaf.
|
|
|
|
## Security notes
|
|
- Never fetch keys online in sealed mode.
|
|
- Keep audit log of rotations (who, when, rootVersion, fingerprints).
|
|
- Enforce least privilege for signing service accounts.
|