Discuss signing key expiry

[shizhMSFT]

Resolves #84

[priteshbandi]

Unless all artifacts signed by the key are not timestamped or If the artifact are timestamped, all Deployers are validating timestamp with configured trusted TSAs, the compromise of short term key can have high blast radius as malicious actor can backdate the signing time and select a local TSA to sign the artifact. Thus they needs to be protected all the time(until deleted).

[sudo-bmitch]

Typically key expiry is used to limit how long a signed artifact would be considered valid before requiring it to be resigned. One advantage of this is the CA signing the key's certificate can choose how long to trust that key which gives an upper limit on how long a breached key's signed artifacts may be encountered in the wild. If we allow a TSA to arbitrarily extend that limit, that removes the control the CA has on how long signed artifacts from that key are trusted.

This is trading off the fixed trust on both the key and artifact, for a short trust on the key and a potentially unlimited trust on the artifacts that short term key signs. I personally won't want to trust a TSA extended artifact unless there's some assurance the organization issuing the original signing key has some control on the max lifetime of those signed artifacts.

[SteveLasker]

@priteshbandi, do we want to close this as this seems to be covered in the signature specs?

[gillg]

You should also take a look on my notes here : #208 (comment)
I really think it's a important subject, and possibly consider a build artifact as a long term signed object. Obviously, util we can revoke a key by security.

[github-actions]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 30 days.