DSSE Extension for Timestamping and PKI Support

[colek42]

Mising some detail but here is a first attempt at an extension for PKI/TSA

Abstract

This document proposes an extension to the Dead Simple Signature Envelope (DSSE) specification to incorporate support for Time Stamping Authority (TSA) timestamps and Public Key Infrastructure (PKI) including intermediate certificates.

Introduction

The proposed extension aims to add functionality to the DSSE specification by providing more options for the verification process. It suggests modifications that will enable DSSE to include timestamp information provided by a TSA and the inclusion of intermediate certificates in a PKI setup.

Proposed Changes

The following changes are proposed to the existing DSSE specification.

Signature Message

The Signature message should be extended to support multiple extensions:

message Signature {
  bytes sig = 1;
  string keyid = 2;
  repeated Extension extension = 3;  
}

Extension Message

The existing Extension message remains the same:

message Extension {
  string type_ = 1;
  google.protobuf.Struct ext = 2;
}

Timestamp Extension

A new TimestampExtension message will be introduced to handle TSA timestamps:

message TimestampExtension {
  string sig = 1; 
  string keyid = 2;
  string tsa_url = 2; 
  bytes tsa_public_key = 3;
}

PKI Extension

Another new message called PKIExtension will be introduced to support PKI with intermediate certificates:

message PKIExtension {
  string keyid =1;
  repeated string intermediate_certs = 2; 
  string root_cert = 3;
}

The root_cert field is optional, to be provided externally, through a policy for verification against.

Conclusion

The proposed extension to DSSE is designed to enhance its capabilities by including support for timestamps provided by a TSA and support for PKI with intermediate certificates. Implementing this proposal should provide more flexibility and control for users of DSSE.