L2 Formal Requirements
This document specifies the formal requirements for achieving Makoto Level 2: Provenance is Authentic. Level 2 builds upon Level 1 by adding cryptographic guarantees—attestations are digitally signed and tamper-evident, enabling consumers to verify authenticity and integrity.
Summary: L2 requires cryptographically signed attestations with verifiable identity binding, timestamp assurance, and hash-chained lineage. Consumers can detect tampering and verify that attestations came from a known, trusted producer.
Contents
Terminology #
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
| Term | Definition |
|---|---|
| Producer | Entity that creates data attestations. May be a data collector, transformer, or pipeline operator. |
| Platform | Infrastructure that executes data pipelines and supports attestation generation. |
| Verifier | Entity that validates attestations before consuming or trusting the associated data. |
| DSSE | Dead Simple Signing Envelope—the envelope format for signed in-toto attestations. |
| TSA | Timestamp Authority—a trusted service providing verifiable timestamps per RFC 3161. |
Producer Requirements #
Producers MUST meet all L1 requirements plus the following additional requirements.
Attestation Signing #
All attestations MUST be cryptographically signed using a digital signature algorithm. The attestation MUST be wrapped in a DSSE envelope containing the signature.
Verification
Verifiers check that the attestation is wrapped in a DSSE envelope with a valid signatures array containing at least one signature.
Signatures MUST use one of the following algorithms:
- ECDSA P-256 (ES256) — RECOMMENDED for most use cases
- ECDSA P-384 (ES384) — For higher security requirements
- Ed25519 — For performance-sensitive applications
- RSA-PSS (PS256, PS384, PS512) — For legacy compatibility only
Verification
Verifiers check the signature algorithm identifier in the DSSE envelope or associated key material.
Producers SHOULD use Sigstore keyless signing when possible. Keyless signing binds attestations to OIDC identities without requiring long-lived signing keys, simplifying key management and improving auditability.
Identity Binding #
Each signature MUST be bound to a verifiable identity through one of the following mechanisms:
- X.509 certificate — Certificate chain to trusted root CA
- Sigstore/Fulcio certificate — Short-lived certificate from OIDC identity
- Published public key — Key published at well-known location with documented ownership
Verification
Verifiers MUST be able to determine the identity that created the signature and validate that identity against a trust policy.
The attestation predicate MUST include a reference to the signing identity in the
collector.id (for origin attestations) or executor.id (for transform attestations) field.
This identifier MUST match or be verifiable against the signing identity.
{
"predicate": {
"collector": {
"id": "https://expanso.io/collectors/prod-west-1",
// This ID must match the signing certificate's subject
}
}
}
Timestamping #
All attestations MUST include a verifiable timestamp proving when the attestation was created. This MUST be achieved through one of:
- RFC 3161 timestamp token — From a trusted Timestamp Authority
- Sigstore Rekor entry — Attestation logged to transparency log with timestamp
- Certificate-embedded timestamp — When using short-lived signing certificates
Verification
Verifiers check the timestamp token signature or transparency log entry to confirm attestation creation time.
The attestation predicate MUST include metadata.startedOn and metadata.finishedOn
(for transforms) or origin.collectionTimestamp (for origins) as ISO 8601 timestamps.
These self-reported times SHOULD be consistent with the verifiable timestamp (within reasonable clock skew).
Hash Chaining #
Transform attestations MUST include cryptographic digests of all input datasets in the
predicate.inputs array. Each input MUST specify at minimum a sha256 digest.
{
"predicate": {
"inputs": [{
"name": "dataset:raw_transactions",
"digest": {
"sha256": "a1b2c3d4e5f6..."
},
"attestationRef": "https://attestations.example.com/abc123"
}]
}
}
Verification
Verifiers confirm that input digests match the subject.digest of the referenced input attestations, forming a verifiable chain.
Transform attestations MUST include attestationRef URIs for each input, pointing to
the signed attestation for that input dataset. This enables recursive lineage verification.
For streaming data, stream-window attestations SHOULD include a reference to the previous window's
attestation in predicate.integrity.previousWindow. This creates a tamper-evident chain
of windows.
Platform Requirements #
Platforms supporting L2 attestation MUST provide the following capabilities to producers.
Key Management #
The platform MUST provide a mechanism for producers to store signing keys securely. Keys MUST NOT be stored in plaintext in configuration files or environment variables accessible to arbitrary user code. Acceptable storage mechanisms include:
- Encrypted secrets management (e.g., HashiCorp Vault, AWS Secrets Manager)
- Platform-managed key storage with access controls
- Integration with external key management systems
The platform SHOULD provide native integration with Sigstore for keyless signing. This includes support for OIDC authentication and automatic Rekor transparency log submission.
The platform MUST enforce access controls on signing keys. Only authorized pipelines or identities SHOULD be able to use a given signing key. Access MUST be auditable.
Signing Infrastructure #
The platform MUST provide a signing API or component that producers can invoke to sign attestations. The signing operation MUST:
- Accept attestation payload and return signed DSSE envelope
- Use the configured signing key without exposing key material to the caller
- Log signing operations for audit purposes
The platform SHOULD provide components that automatically generate and sign attestations
as part of pipeline execution (e.g., makoto_attestation output component).
This reduces implementation burden on producers.
Timestamp Service Integration #
The platform MUST integrate with at least one trusted timestamp authority or transparency log. Options include:
- Sigstore Rekor (RECOMMENDED for public attestations)
- RFC 3161 Timestamp Authority (for private/enterprise deployments)
- Internal transparency log with verifiable timestamps
The platform SHOULD ensure that systems generating attestations have synchronized clocks (NTP) to minimize discrepancy between self-reported and authority-issued timestamps.
Verification Requirements #
Verifiers (data consumers) MUST perform the following checks to confirm L2 compliance.
Signature Verification #
Verifiers MUST validate that the DSSE envelope signature is cryptographically valid for the payload. The verification process MUST:
- Parse the DSSE envelope and extract payload and signatures
- Reconstruct the PAE (Pre-Authentication Encoding) from payload type and payload
- Verify at least one signature against the PAE using the signer's public key
Verifiers MUST reject attestations where signature verification fails. The data associated with a failed attestation MUST NOT be trusted for L2-requiring use cases.
Identity Verification #
Verifiers MUST determine and validate the signing identity. For X.509 certificates, this means validating the certificate chain to a trusted root. For Sigstore, this means verifying the Fulcio certificate and OIDC claims.
Verifiers MUST apply a trust policy to determine if the signing identity is authorized to produce attestations for the given data. Trust policies MAY be based on:
- Explicit list of trusted signing identities
- Organizational membership (e.g., any identity from
@example.com) - Certificate attributes (e.g., specific OU or SAN values)
Verifiers SHOULD check that the signing identity is consistent with the collector.id
or executor.id in the attestation predicate. Mismatches MAY indicate attestation reuse
or forgery attempts.
Timestamp Verification #
Verifiers MUST verify that the attestation has a valid timestamp from a trusted source. For RFC 3161 timestamps, verify the TSA signature. For Rekor entries, verify inclusion proof.
Verifiers SHOULD check that the attestation timestamp is consistent with expected data freshness. Attestations with timestamps significantly older than expected MAY indicate stale or replayed data.
Lineage Chain Verification #
For transform attestations, verifiers MUST verify that the inputs[].digest values
match the subject.digest values of the referenced input attestations. Mismatches
indicate data tampering between pipeline stages.
Verifiers SHOULD recursively fetch and verify all attestations in the lineage chain, back to origin attestations. This provides full provenance verification. Verification depth MAY be limited by policy for performance reasons.
Verifiers MUST compute the cryptographic digest of the received data and compare it to the
subject.digest in the attestation. If digests do not match, the data has been
modified after attestation and MUST NOT be trusted.
Threats Mitigated #
L2 compliance mitigates the following threats from the Makoto threat model:
| Threat | Description | Mitigation |
|---|---|---|
| D1 | Source Falsification | Signed origin claims tied to verifiable identity. Falsified origins require compromising signing keys. |
| D2 | Collection Tampering | Signed attestations with data hashes detect any post-collection modification. |
| D3 | Transform Opacity | Signed transform records with input/output hashes provide verifiable processing documentation. |
| D4 | Lineage Forgery (partial) | Hash chaining prevents insertion of fake history without detection. Full mitigation requires L3. |
| D8 | Time Manipulation | Trusted timestamps from TSA or transparency log prevent backdating attestations. |
Note: L2 does NOT fully mitigate threats D5 (Stream Injection) and D6 (Aggregation Manipulation). These require L3's isolated infrastructure guarantees. A compromised producer can still forge attestations with their own keys at L2.
Conformance Checklist #
Use this checklist to verify L2 compliance. All MUST requirements must be met; SHOULD requirements are recommended.
Producer Checklist
| Req | Requirement | Level |
|---|---|---|
| L2.P.1 | All attestations are signed and wrapped in DSSE envelopes | MUST |
| L2.P.2 | Using approved signature algorithm (ECDSA P-256, Ed25519, etc.) | MUST |
| L2.P.3 | Using keyless signing (Sigstore) where available | SHOULD |
| L2.P.4 | Signatures bound to verifiable identity (X.509, Sigstore, published key) | MUST |
| L2.P.5 | Identity reference included in attestation predicate | MUST |
| L2.P.6 | Verifiable timestamps included (RFC 3161, Rekor, or cert-embedded) | MUST |
| L2.P.7 | Timestamps recorded in attestation predicate | MUST |
| L2.P.8 | Transform attestations reference input digests | MUST |
| L2.P.9 | Transform attestations include input attestation references | MUST |
| L2.P.10 | Stream window attestations chain to previous window | SHOULD |
Platform Checklist
| Req | Requirement | Level |
|---|---|---|
| L2.PL.1 | Secure key storage mechanism provided | MUST |
| L2.PL.2 | Native Sigstore integration available | SHOULD |
| L2.PL.3 | Key access controls enforced and auditable | MUST |
| L2.PL.4 | Signing API/component available to producers | MUST |
| L2.PL.5 | Automatic attestation generation components available | SHOULD |
| L2.PL.6 | Timestamp authority/transparency log integration | MUST |
| L2.PL.7 | Clock synchronization (NTP) for attestation systems | SHOULD |
Verifier Checklist
| Req | Requirement | Level |
|---|---|---|
| L2.V.1 | DSSE envelope signature verified | MUST |
| L2.V.2 | Invalid signatures rejected | MUST |
| L2.V.3 | Signing identity verified (cert chain, Fulcio, etc.) | MUST |
| L2.V.4 | Trust policy applied to signing identity | MUST |
| L2.V.5 | Identity consistency with predicate verified | SHOULD |
| L2.V.6 | Timestamp authenticity verified | MUST |
| L2.V.7 | Timestamp freshness checked | SHOULD |
| L2.V.8 | Hash chain integrity verified | MUST |
| L2.V.9 | Lineage recursively verified | SHOULD |
| L2.V.10 | Data binding verified (compute digest, compare to attestation) | MUST |
Related Documents
L3 Requirements
Maximum assurance—unforgeable platform-generated attestations.
View L3 requirements →