slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Clarification on valid in-toto statement encapsulation

Open AdamZWu opened this issue 2 years ago • 1 comments

SLSA v1.0 specs refer to the in-toto v1 ResourceDescriptor, does that mean a SLSA v1.0 predicate can only be encapsulated by an in-toto statement v1? (i.e. we should not expect an in-toto statement v0.1 to contain a SLSA v1.0 predicate?)

How about the reverse? Could an in-toto statement v1 encapsulate a SLSA v0.1 or v0.2 predicate?

AdamZWu avatar Jul 12 '23 23:07 AdamZWu

My take is that v1 Statements can hold any SLSA version predicate, but the reverse (v1 provenance in pre-v1 Statements) is tricker because pre-v1 Statements (and therefore verifiers) don't know about resource descriptors. Other thoughts?

marcelamelara avatar Jul 17 '23 16:07 marcelamelara