150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
1.5 KiB
1.5 KiB
Trust and Signing (DOCS-AIRGAP-58-002)
Guidance on DSSE/TUF roots, rotation, and signed time tokens.
Trust roots
- Maintain offline root keys for DSSE/TUF; store in HSM or sealed vault.
- Distribute intermediate/leaf keys via bootstrap packs with fingerprints.
- Keep trust roots versioned; record
rootVersionand validity period.
DSSE
- Use DSSE for bundle manifests (mirror/bootstrap) and evidence timelines when possible.
- Verification in sealed mode uses bundled roots; no online Rekor needed.
- Rotate signing keys with overlapping validity; publish new root in next bundle.
TUF (optional)
- If using TUF metadata, ship
root.json,snapshot.json,timestamp.jsonwith bundles. - In sealed mode, trust only bundled metadata; no remote refresh.
Signed time tokens
- Export signed time anchors (see
docs/airgap/staleness-and-time.md):- Token fields:
issuedAt,notAfter,timeSource,signature,rootVersion. - Validate offline against trust roots; expire strictly at
notAfter.
- Token fields:
Rotation procedure
- Prepare new root and leaf keys; sign new root with current root.
- Include new
root.jsonand fingerprints in next mirror/bootstrap bundle. - During import, verify both current and new root; switch default after verification.
- Re-sign manifests/time tokens with new leaf.
Security notes
- Never fetch keys online in sealed mode.
- Keep audit log of rotations (who, when, rootVersion, fingerprints).
- Enforce least privilege for signing service accounts.