|
|
|
|
|
|
by bigmac
3705 days ago
|
|
|
The several daemons serve two purposes: 1. We have to host the signatures somewhere, so we host them in a store we call the notary server. 2. Notary has a concept of timestamping, so we spin up a timestamping server alongside a notary server that can guarantee the freshness of the data. We use a separate server so that folks can segment the timestamp signing functionality from the signature metadata serving functionality. This helps allow separation of concerns. Timestamping is important because it can help prevent replay attacks where old, validly signed data is served to clients. Think serving an outdated container with known-vulnerable software. Sadly, most artifact signing systems do not mitigate this attack today, but we wanted to make sure ours would. |
|
|