Clarify TimeRange validity periods (#78)

* Clarify TimeRange validity periods Signed-off-by: Zachary Newman <zjn@chainguard.dev> * Update `struct TimeRange` comment too Signed-off-by: Zachary Newman <zjn@chainguard.dev> * Fix spacing (tab->space) Signed-off-by: Zachary Newman <zjn@chainguard.dev> --------- Signed-off-by: Zachary Newman <zjn@chainguard.dev>
sigstore · Apr 26, 2023 · 13e09aa · 13e09aa
1 parent 852ac8d
commit 13e09aa
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 15 deletions.
diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go
diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto
@@ -104,7 +104,7 @@ message PublicKey {
         optional bytes raw_bytes = 1;
         // Key encoding and signature algorithm to use for this key.
         PublicKeyDetails key_details = 2;
-        // Optional validity period for this key.
+        // Optional validity period for this key, *inclusive* of the endpoints.
         optional TimeRange valid_for = 3;
 }
 
@@ -187,8 +187,8 @@ message X509CertificateChain {
         repeated X509Certificate certificates = 1;
 }
 
-// The time range is half-open and does not include the end timestamp,
-// i.e [start, end).
+// The time range is closed and includes both the start and end times,
+// (i.e., [start, end]).
 // End is optional to be able to capture a period that has started but
 // has no known end.
 message TimeRange {

diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
@@ -52,7 +52,10 @@ message CertificateAuthority {
         dev.sigstore.common.v1.X509CertificateChain cert_chain = 3;
         // The time the *entire* chain was valid. This is at max the
         // longest interval when *all* certificates in the chain were valid,
-        // but it MAY be shorter.
+        // but it MAY be shorter. Clients MUST check timestamps against *both*
+        // the `valid_for` time range *and* the entire certificate chain.
+        //
+        // The TimeRange should be considered valid *inclusive* of the endpoints.
         dev.sigstore.common.v1.TimeRange valid_for = 4;
 }