Chainsights is currently:
- DNS based challenge protocol akin to Letsencrypt
- Set of In-Toto predicates with some protocol rules on following links
- Trust and identity mechanism through Sigstore
- Client tooling for the DNS challenge and traversal of the In-Toto Attestation
This is currently leading to some confusion that the only way forward is to use all the things in conjunction when it should be clearer that each of the pieces can be its own thing:
- DNS Challenge can work with other supply chain transparency documents, not just in-toto attestations
- The In-Toto attestations can work with other discovery protocols.
- We can swap out Sigstore for other mechanisms
- The client tooling is just a PoC, but can be extended to work with more than just the DNS challenge and in-toto attestation, or work with completely different things if it turns out the DNS challenge an/or the attestations are not the right approach.
Chainsights is currently:
This is currently leading to some confusion that the only way forward is to use all the things in conjunction when it should be clearer that each of the pieces can be its own thing: