Description

We currently include the timestamp when the checkpoint was generated:

rekor.sigstore.dev - 3904496407287907110
4163431
TQBqpG78tgfdUdkAsSE3VMUMySUcNAXGwlYdnWovMjk=
Timestamp: 1701981305360721342

— rekor.sigstore.dev wNI9ajBFAiEA8v7iWeGsxEL5ysGdi1A2vu9lMSuCeRtSBOXzRCK+5ygCIBe0r5Au5PmbY1lbJv+1/x2KoLm/YPsb1X5JyY3OXUHH

Note the first line is the log identifier, the second is the log size, then the root hash, then extra data (the timestamp), then a new line and then the checkpoint signature.

No checkpoint verifier relies on the timestamp. It could be used to convey checkpoint freshness, that the checkpoint represents the latest snapshot of the log. However:

• this is not verifiable in any way
• if the log presented different views to different callers, say if the log wanted to act like it was "frozen" to one caller and serve an old checkpoint, that's mitigated through witnessing, not through checkpoint timestamps
• if a verifier were to require it be fresh, it means we cannot cache static checkpoints for old log shards.

I propose that we remove the timestamp from the checkpoint. We'll need to confirm that this is not a breaking change, that old clients can verify checkpoints without the timestamp present.

cc @mhutchinson