1.6 KiB
1.6 KiB
Attestor Offline Verification Guide
Audience: Attestor operators, AirGap owners, CI/Release engineers
Purpose: Explain how to verify attestations and timestamp evidence in fully offline environments.
1. Offline Inputs
Offline verification expects all evidence to be bundled locally:
- DSSE envelopes + certificate chains.
- Rekor inclusion proofs + a pinned checkpoint.
- RFC3161 timestamp evidence with bundled TSA chain and revocation data:
tsa/chain/(PEM certificates, leaf -> root)tsa/ocsp/(stapled OCSP responses)tsa/crl/(CRL snapshots when OCSP is unavailable)
2. Bundle Layout Expectations
Minimum paths for timestamp verification:
manifest.jsonwithtimestamps[]entries.tsa/chain/*.pemfor each RFC3161 timestamp.tsa/ocsp/*.derortsa/crl/*.crl(revocation evidence).
3. CLI Workflow (Offline)
Use the bundle verification flow aligned to domain operations:
stella bundle verify --bundle /path/to/bundle --offline --trust-root /path/to/tsa-root.pem --rekor-checkpoint /path/to/checkpoint.json
Notes:
- Offline mode fails closed when revocation evidence is missing or invalid.
- Trust roots must be provided locally; no network fetches are allowed.
4. Verification Behavior
- TSA chain is validated against the provided trust roots.
- Revocation evidence is verified using bundled OCSP/CRL data.
- Rekor proofs are verified against the pinned checkpoint when provided.
5. References
docs/modules/attestor/guides/timestamp-policy.mddocs/modules/attestor/airgap.mddocs/modules/airgap/guides/staleness-and-time.md