in-toto: DSSE Implementation
- Mentors
- Lukas PĆ¼hringer, Aditya Sirish A Yelgundhalli
- Organization
- CNCF
- Technologies
- python
- Topics
- security, supply-chain
in-toto framework generates metadata files that are represented as signature wrapper or envelope. in-toto current signature wrapper requires canonicalization, which should be avoided for security reasons. Dead Simple Signing Envelope (DSSE) is a specification for signing methods and formats which removes current dependence on canonicalization and supports more encoding other than JSON. in-toto framework's implementation for signature wrapper must switch to using DSSE.