Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible clarification required for source track's "strong authentication" #1266

Open
adityasaky opened this issue Jan 1, 2025 · 0 comments
Open

Possible clarification required for source track's "strong authentication" #1266

adityasaky opened this issue Jan 1, 2025 · 0 comments
Labels
source-track

Comments

@adityasaky
Copy link
Member

When working on #1265, I realized I have some questions about https://slsa.dev/spec/draft/source-requirements#strong-
authentication. The source track text currently says:

User accounts that can modify the source or the project’s configuration must use multi-factor authentication or its equivalent. This strongly authenticated identity MUST be used for the generation of source provenance attestations. The SCS MUST declare which forms of identity it considers to be trustworthy for this purpose. For cloud-based SCSs, this will typically be the identity used to push to a repository.

Other forms of identity MAY be included as informational. Examples include a git commit’s “author” and “committer” fields and a gpg signature’s “user id.” These forms of identity are user-provided and not typically verified by the source provenance attestation issuer.

This text makes some assumptions about the implementation of the SCS in that there exists some way to login and make changes to the source or its repository configuration. I'm not sure if it'd apply to cases such as git.kernel.org? Perhaps MFA should be an example of something that should be enabled if applicable?

On a related note, should we say what's an equivalent for MFA? is this an alternative for something like managing source configurations on a service such as GitHub? Or is the "equivalent" for cases like git.kernel.org where the configuration is managed in some other way and MFA may not apply?

There's some ambiguity in how the strongly authenticated identity is used in the generation of source provenance attestations. If this strongly authenticated identity is for the producer of the provenance attestation, then it may not meet the MFA requirement since we're looking at the signer of the attestation which may be a workflow identity? The sentence "this will typically be the identity used to push to a repository" contributes to the ambiguity, as it could be read to mean either the identity recorded in the provenance attestation or the identity associated with the signer of the provenance attestation.

I'm happy to open a PR for this but I'm curious to see what everyone thinks. 😄
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
source-track
Projects
Issue triage
Status: 🆕 New
SLSA Source Track
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adityasaky