Add data structure and convention associating multiple messages with an artifact about dsse HOT 4 CLOSED

First question: should this be specific to in-toto (and thus move this issue to that repo) or should this be generic for all signed messages (and just stay here).

from dsse.

I propose leaving it here.

1. There is likely value in being able to have a standard method of encoding multiple signed messages in a single file.
2. The method of encoding multiple signed messages necessarily involves understanding the outer wrapper being encoded. While ITE-6 currently defines using this signing-spec it's conceivable that it could change to support some other method of signing in the future. That new method might not be compatible with whatever method of serializing multiple messages in a single file is proposed in ITE-6.

Proposal:

1. Define the format in Signing-Spec
2. Use Line Delimited JSON https://en.wikipedia.org/wiki/JSON_streaming#Line-delimited_JSON

from dsse.

I propose moving it to the new https://github.com/in-toto/attestation. The only use case we know of is attestations, so my inclination is to keep it specific until we know that we need a more general solution.

Counterpoint to Tom's #2: I believe there is value in having the Bundle be independent of the Envelope. The Bundle could then wrap any type of envelope and indicate its type.

(See https://github.com/slsa-framework/slsa-controls/blob/main/attestations.md for Bundle vs Envelope)

from dsse.

In the interest of keeping this signing spec as simple as possible, I'm going to move this issue now.

from dsse.