Description: As discussed during the May 12 meeting, I'm currently working on using short lived keys to sign artifacts and now need to handle making sure the signature was generated during the key's validity window. RFC3161 exists as a way to standardize this process but doesn't define any specifications for transport. I'm appealing to the tag-security group as a whole for individuals who have experience in this field to perhaps form a small meeting to discuss the issue.

Impact: This will impact my work on the in-toto project and how we approach supply chain security in that context.

Scope: I do not believe this to be a significant scope. A few people chimed in during the meeting who seemed experienced in this field. A few references were provided: sigstore/rekor#293 and TUF's handling of timestamps were of particular note.

@colek42 @trishankatdatadog Marina Moore also expressed interest on being tagged on this, but I am unable to find a github account for them.