Hi there,

FWIW, this is a really interesting proposal, and I recognise the use case
in 1.2. Use Case: Verifying Stored Signature.

>From a Docker perspective, being able to sign attestations on container
images using workload identity (i.g. GitHub) using something like
OpenPubkey (https://github.com/openpubkey/openpubkey) would be great, and
this proposal would help us to verify signatures created under previous
(expired) OIDC public keys.

Thanks,

James Carnegie (supply chain engineer at Docker)
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to