Hi there, FWIW, this is a really interesting proposal, and I recognise the use case in 1.2. Use Case: Verifying Stored Signature.
>From a Docker perspective, being able to sign attestations on container images using workload identity (i.g. GitHub) using something like OpenPubkey (https://github.com/openpubkey/openpubkey) would be great, and this proposal would help us to verify signatures created under previous (expired) OIDC public keys. Thanks, James Carnegie (supply chain engineer at Docker)
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth