Refactoring the image signing routines (#28) left as an open TODO deriving the CFPA KeyStatus bits from root_certs (and whatever else we might need). If we pass the signing root (i.e., signing_certs[0]) then we can check that it occurs in root_certs, and maybe mark as Revoked? (I admit not understanding the difference between Revoked1 and Revoked2) the ones before that. But this appears to be partly a matter of policy rather than a stricly technical decision, so feedback would be welcome on how we intend to set and use these bits.
Refactoring the image signing routines (#28) left as an open
TODOderiving the CFPAKeyStatusbits fromroot_certs(and whatever else we might need). If we pass the signing root (i.e.,signing_certs[0]) then we can check that it occurs inroot_certs, and maybe mark asRevoked?(I admit not understanding the difference betweenRevoked1andRevoked2) the ones before that. But this appears to be partly a matter of policy rather than a stricly technical decision, so feedback would be welcome on how we intend to set and use these bits.