OIDC claims: support for GitHub org and repository IDs?

[woodruffw]

I'm raising this as a potential enhancement/addition to current set of X.509 extensions used by Sigstore when encapsulating GitHub Actions OIDC claims, based on this comment in the pre-RFC discussion for Sigstore's integration into cargo/crates.io.

At the moment, there are two primary OIDC claims from GitHub Actions-issued tokens that get embedded in Fulcio-issued certificates as X.509v3 extensions:

1. The SAN itself, which contains the value of job_workflow_ref from the OIDC token
2. 1.3.6.1.4.1.57264.1.5, which contains the value of the repository claim from the OIDC token (in org/repo "slug" form)

These are sufficient for verification at a point in time, but some threat models may require the assertion that org/repo still refers to the same org and repo. Fortunately, GitHub provides stable numeric identifiers for these, in the form of the repository_id and repository_owner_id claims. These can be used to detect a change in underlying account or repository identity, e.g. in the case an attacker takes over a deleted GitHub account and attempts to release malicious updates with otherwise valid-looking claims.

So, my actual suggestion: we could add two new X.509v3 extensions (and corresponding OIDs):

• 1.3.6.1.4.1.57264.1.8: GitHub Workflow Repository ID: the stable numeric identifier for the repository the workflow was run under
• 1.3.6.1.4.1.57264.1.9: GitHub Workflow Repository Owner ID: the stable numeric identifier for the user or organization that owns the repository the workflow was run under

cc @asraa, @znewman01, and @haydentherapper for thoughts!

[haydentherapper]

cc @feelepxyz @steiza

This is a very good point, and I think we should address this in #945.

[woodruffw]

Nice! Going based on the generic names being used in #945, here's two proposed names for these:

• Source Identifier, corresponding to GitHub Workflow Repository ID
• Source Owner Identifier, corresponding to GitHub Workflow Repository Owner ID

(Given that the latter is now the first introduction of the concept of "Source Owner," it might make sense to also expose "Source Owner" as a separate extension that gets a URI reference to the logical owner of the source, e.g. https://github.com/${repository_owner}.)

[feelepxyz]

Great call out!

• Source Identifier, corresponding to GitHub Workflow Repository ID
• Source Owner Identifier, corresponding to GitHub Workflow Repository Owner ID

(Given that the latter is now the first introduction of the concept of "Source Owner," it might make sense to also expose "Source Owner" as a separate extension that gets a URI reference to the logical owner of the source, e.g. https://github.com/${repository_owner}.)

These names make sense to me 💯

I've updated #945 to include these.