Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify 'Tamper with provenance or VSA' threat #1223

Open
TomHennen opened this issue Oct 25, 2024 · 1 comment
Open

Clarify 'Tamper with provenance or VSA' threat #1223

TomHennen opened this issue Oct 25, 2024 · 1 comment
Assignees
@TomHennen
Labels
slsa 1.1

Comments

@TomHennen
Copy link
Contributor 

          ```suggestion

Threat: Issue an attestation that purposefully misrepresents the subject.


_Originally posted by @zachariahcox in https://github.com/slsa-framework/slsa/pull/1191#discussion_r1816709266_
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 25, 2024
@TomHennen TomHennen mentioned this issue Oct 25, 2024
Merged
@TomHennen
Copy link
Contributor Author

I don't think this is quite right. In example 1 and 2 the threat described is that an existing attestation is tampered with, the mitigation described detects these problems because the attacker cannot modify the valid attestations without invalidating the expected signatures.

However, I think 'example 3' should probably be captured in a threat by itself as that deals with expectations mismatching which is usually captured elsewhere.

@TomHennen TomHennen self-assigned this Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TomHennen TomHennen

Labels
slsa 1.1
Projects
Issue triage
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TomHennen