I like your model.
Reading it makes me think the only think that is missing from the attestation spec is optional tags to "proof".
For example, when I assert a build is reproducible, i should also attest to my own assertion being true and link to the build pipelines outputs showing that.
Reading it makes me think the only think that is missing from the attestation spec is optional tags to "proof".
For example, when I assert a build is reproducible, i should also attest to my own assertion being true and link to the build pipelines outputs showing that.