From b37a72d88494403eef685961c22cb19f743553af Mon Sep 17 00:00:00 2001 From: Tom Hennen Date: Thu, 5 Dec 2024 22:27:18 +0000 Subject: [PATCH] make sure orgs can have additional requirements if they want Signed-off-by: Tom Hennen --- docs/spec/draft/principles.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/spec/draft/principles.md b/docs/spec/draft/principles.md index 540f0a5ad..794bdcad9 100644 --- a/docs/spec/draft/principles.md +++ b/docs/spec/draft/principles.md @@ -129,10 +129,12 @@ to reveal their legal identity.** to an actor. Choice of identification technology is left to the platform that provides the action (e.g. username, cryptographic signing key, etc.). -When identities are strongly authenticated and used consistently they can be leveraged for both of -these purposes without requiring them to be mapped to legal identities. This reflects how -identities are often used in open source. A legal name means much less to projects than the -history and behavior of a given handle over time does. +When identities are strongly authenticated and used consistently they can often be leveraged +for both of these purposes without requiring them to be mapped to legal identities. +This reflects how identities are often used in open source where legal name means much less +to projects than the history and behavior of a given handle over time does. Meanwhile some +organizations may choose to levy additional requirements on identities. They are free to do +so, but SLSA itself does not require it. **Benefits**: By _not_ requiring legal identities SLSA lowers the barriers to its adoption, enabling all of its other benefits and maintaining support for anonymous and pseudonymous