The in-toto Attestation Framework defines several field types that may be of common interest:
Uniform Resource Identifier as specified in RFC 3986, used to identify and locate any resource, service, or software artifact.
Format:
A ResourceURI is represented as a case sensitive string and MUST be case normalized as per section 6.2.2.1 of RFC 3986, meaning that the scheme and authority MUST be in lowercase.
SHOULD resolve to the artifact, but MAY be unresolvable. It is RECOMMENDED to use Package URL (
pkg:) or SPDX Download Location (e.g.git+https:).
Example:
"pkg:deb/debian/stunnel@5.50-3?arch=amd64".
Uniform Resource Identifier as specified in RFC 3986, used as a collision-resistant type identifier.
Format:
A TypeURI is represented as a case sensitive string and MUST be case normalized as per section 6.2.2.1 of RFC 3986, meaning that the scheme and authority MUST be in lowercase.
SHOULD resolve to a human-readable description, but MAY be unresolvable. SHOULD include a version number to allow for revisions.
TypeURIs are not registered. The natural namespacing of URIs is sufficient to prevent collisions.
Example:
"https://in-toto.io/Statement/v1".
A point in time.
Format:
A timestamp is represented as a string and MUST be in RFC 3339 format in the UTC timezone ("Z").
Example:
"1985-04-12T23:20:50.52Z".