slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Wishlist for higher SLSA levels

Open joshuagl opened this issue 4 years ago • 3 comments

There have been a few suggestions over time of things to add in future as higher SLSA levels once the current requirements are well established. I wanted to create a space to jot down wish list items for those future higher SLSA levels.

Note: this is not to push for a higher level to be defined today, or even soon, but instead to start capturing items that may warrant a higher SLSA level

  • Two person reviewed by two trusted persons who are not the uploader/submitter (current SLSA 4 requirement requires two trusted persons approve a change, one of whom may be the submitter).

joshuagl avatar Oct 21 '21 20:10 joshuagl

Today SLSA doesn't touch on credential or key lifespan at all, but I think the exclusive use of extremely short-lived credentials (e.g. OIDC) and keys (e.g. Fulcio) might be a SLSA 5 thing.

mattmoor avatar Oct 21 '21 21:10 mattmoor

@david-a-wheeler suggested verified reproducible builds in #5

joshuagl avatar Oct 28 '21 10:10 joshuagl

expand zero-trust notion over all steps, including originated geo-location, network, sources, users, providers.

moshe-apiiro avatar Nov 28 '21 16:11 moshe-apiiro