Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/secure-systems-lab/dsse

A specification for signing methods and formats used by Secure Systems Lab projects.
https://github.com/secure-systems-lab/dsse

Last synced: 2 months ago
JSON representation

A specification for signing methods and formats used by Secure Systems Lab projects.

Host: GitHub
URL: https://github.com/secure-systems-lab/dsse
Owner: secure-systems-lab
License: apache-2.0
Created: 2020-09-01T10:20:42.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2024-09-11T02:54:40.000Z (5 months ago)
Last Synced: 2024-09-11T08:14:50.441Z (5 months ago)
Language: Jupyter Notebook
Homepage: https://dsse.dev
Size: 97.7 KB
Stars: 65
Watchers: 20
Forks: 18
Open Issues: 19
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

dereks-awesome-list - DSSE - Simple, foolproof standard for signing arbitrary data. (Security / Software Supply Chain Security)

README

        # DSSE: Dead Simple Signing Envelope

Simple, foolproof standard for signing arbitrary data.

## Features

*   Supports arbitrary message encodings, not just JSON.

*   Authenticates the message *and* the type to avoid confusion attacks.

*   Avoids canonicalization to reduce attack surface.

*   Allows any desired crypto primitives or libraries.

See [Background](background.md) for more information, including design

considerations and rationale.

## What is it?

Specifications for:

*   [Protocol](protocol.md) (*required*)

*   [Data structure](envelope.md), a.k.a. "Envelope" (*recommended*)

*   (pending #9) Suggested crypto primitives

Out of scope (for now at least):

*   Key management / PKI /

    [exclusive ownership](https://www.bolet.org/~pornin/2005-acns-pornin+stern.pdf)

## Why not...?

*   Why not raw signatures? Too fragile.

*   Why not [JWS](https://tools.ietf.org/html/rfc7515)? Too many insecure

    implementations and features.

*   Why not [PASETO](https://paseto.io)? JSON-specific, too opinionated.

*   Why not the legacy TUF/in-toto signature scheme? JSON-specific, relies on

    canonicalization.

See [Background](background.md) for further motivation.

## Who uses it?

*   [in-toto](https://in-toto.io) (pending implementation of [ITE-5](https://github.com/in-toto/ITE/blob/master/ITE/5/README.adoc))

*   [TUF](https://theupdateframework.io) (pending implementation of [TAP-17](https://github.com/theupdateframework/taps/pull/138))

## How can we use it?

* There is a Python implementation in [this repository](implementation/).

* There's a DSSE library for Go in [go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse).

* SigStore includes a [Go implementation](https://github.com/sigstore/sigstore/tree/main/pkg/signature/dsse)

  that supports hardware tokens, cloud KMS systems, and more.

## Versioning

The DSSE specification follows semantic versioning, and is released using Git

tags. The `master` branch points to the latest release. Changes to the

specification are submitted against the `devel` branch, and are merged into

`master` when they are ready to be released.