From d3c4c0f6482244b258d289abb6f6703020cef4cc Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Tue, 30 Jul 2024 11:42:14 +0800 Subject: [PATCH 1/2] doc: add back mistakenly removed sentence Signed-off-by: Yi Zha --- specs/signature-specification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/signature-specification.md b/specs/signature-specification.md index bd619c1..0c83bb7 100644 --- a/specs/signature-specification.md +++ b/specs/signature-specification.md @@ -146,7 +146,7 @@ See [Guidelines for implementations of the Notary Project signature specificatio ### Unsigned Attributes -These attributes are considered unsigned with respect to the signing key that generates the signature. +These attributes are considered unsigned with respect to the signing key that generates the signature. These attributes are typically signed by a third party (e.g. CA, TSA). - **Certificate Chain**: This is a REQUIRED attribute that contains the ordered list of X.509 public certificates associated with the signing key used to generate the signature. The ordered list starts with the signing certificate, any intermediate certificates and ends with the root certificate. The certificate chain MUST be authenticated against a trust store as part of signature validation. Specific requirements for the certificates in the chain are provided [here](#certificate-requirements). - **Timestamp Signature**: An OPTIONAL countersignature generated by a trusted third party, such as a Timestamp Authority (TSA). Its purpose is to demonstrate that the primitive signature, computed on payload and signed attributes, was generated before the timestamp. Only [RFC 3161][ietf-rfc3161] compliant timestamp signatures are supported. If present, this claim is validated and used solely under the [`notary.x509`](./signing-scheme.md/#notaryx509) signing scheme. From 381600430a07f006f94d12f622a35cae262f40a2 Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Wed, 31 Jul 2024 08:26:18 +0800 Subject: [PATCH 2/2] update per comments Signed-off-by: Yi Zha --- specs/signature-specification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/signature-specification.md b/specs/signature-specification.md index 0c83bb7..1c158ae 100644 --- a/specs/signature-specification.md +++ b/specs/signature-specification.md @@ -146,7 +146,7 @@ See [Guidelines for implementations of the Notary Project signature specificatio ### Unsigned Attributes -These attributes are considered unsigned with respect to the signing key that generates the signature. These attributes are typically signed by a third party (e.g. CA, TSA). +These attributes are considered unsigned with respect to the signing key that generates the signature. These attributes may be independently signed by a third party (e.g. CA, TSA) for various purposes. - **Certificate Chain**: This is a REQUIRED attribute that contains the ordered list of X.509 public certificates associated with the signing key used to generate the signature. The ordered list starts with the signing certificate, any intermediate certificates and ends with the root certificate. The certificate chain MUST be authenticated against a trust store as part of signature validation. Specific requirements for the certificates in the chain are provided [here](#certificate-requirements). - **Timestamp Signature**: An OPTIONAL countersignature generated by a trusted third party, such as a Timestamp Authority (TSA). Its purpose is to demonstrate that the primitive signature, computed on payload and signed attributes, was generated before the timestamp. Only [RFC 3161][ietf-rfc3161] compliant timestamp signatures are supported. If present, this claim is validated and used solely under the [`notary.x509`](./signing-scheme.md/#notaryx509) signing scheme.