Stabilize the bundle format

[woodruffw]

Per sigstore/sig-clients#8: releasing a 1.0 version of the specs here would lend weight to cross-client standardization.

As part of that, we probably need a task burndown, along a few axes:

1. What isn't in the specs yet that needs to be?
2. What (breaking) changes to we want to make for a 1.0?
3. What other language bindings do we want to be ready with a 1.0?

[woodruffw]

As a personal bugbear that I'd like to see addressed in 1.0: there are currently way too many valid states for the tuple of (inclusion promise, inclusion proof, checkpoint); I'd like it if we further ratcheted on the change in #82 and removed the inclusion promise entirely.

[haydentherapper]

We wouldn't be able to remove it entirely unfortunately, since it's still used as a signed timestamp from Rekor, but it could be moved under TimestampVerificationData. Verification then will require a promise+checkpoint, and a timestamp from either what's currently the "inclusion promise" or a TSA timestamp.

[haydentherapper]

Are we using https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_verification.proto? One question is if we want a 1.0 release for everything or just the bundle format. I think the verification options are still a WIP. Do we have enough usage of trustroot for declaring it 1.0?

[kommendorkapten]

For the trust root, I'd say we can declare it 1.0. We are using it for npm and some other projects.
For sigstore_verification we are using it to model a lot of the verification logic, including how complex policies can be broken down in to concrete verification steps, but i think its still to immature and not standardized over different clients yet to be 1.0, keeping that in alpha seems more sane to me.

[jku]

For consideration WRT trustroot: #183