index hosted attestations: Increase version number

jku · jku · commit c89ce14c57f9 · 2025-11-03T13:52:10.000+02:00
diff --git a/source/specifications/index-hosted-attestations.rst b/source/specifications/index-hosted-attestations.rst
@@ -43,7 +43,10 @@ object is provided as pseudocode below.
   class Attestation:
       version: Literal[1]
       """
-      The attestation object's version, which is always 1.
+      The attestation object's version. Current version is 2.
+
+      version 2 added verification_material.timestamps, in practice allowing the
+      use of rekor v2 entries in verification_material.transparency_entries.
       """
 
       verification_material: VerificationMaterial
@@ -87,9 +90,12 @@ object is provided as pseudocode below.
 
       timestamps: list[bytes]
       """
-      List of base64 encoded RFC3161 timestamp responses. Note that list
-      may be empty if `transparency_entries` only contains entries with an
-      integrated_time (in other words entries of kind "dsse 0.0.1").
+      List of base64 encoded RFC3161 timestamp responses.
+
+      Added in Attestation version 2.
+
+      Note that list may be empty if `transparency_entries` only contains entries
+      with an integrated_time (in other words entries of kind "dsse 0.0.1").
       """
 
 A full data model for each object in ``transparency_entries`` is provided in
@@ -98,9 +104,9 @@ transparency log entries, and **MAY** include additional keys for other
 sources of signed time (such as an :rfc:`3161` Time Stamping Authority or a
 `Roughtime <https://blog.cloudflare.com/roughtime>`__ server).
 
-Attestation objects are versioned; this PEP specifies version 1. Each version
+Attestation objects are versioned; this PEP specifies version 2. Each version
 is tied to a single cryptographic suite to minimize unnecessary cryptographic
-agility. In version 1, the suite is as follows:
+agility. In both versions 1 & 2, the suite is as follows:
 
 * Certificates are specified as X.509 certificates, and comply with the
   profile in :rfc:`5280`.
@@ -334,6 +340,10 @@ of signed inclusion time, and can be verified either online or offline.
       integrated_time: int
       """
       The UNIX timestamp from the log from when the entry was persisted.
+
+      Note: An integrated timestamp is not always provided (in practice
+      integrated_time == 0 in this case): in this case external
+      Timestamp Authority timestamps are required to verify the entry.
       """
 
       inclusion_proof: InclusionProof
