> During the pre-PEP discussion, there was a question of whether offline verification was supported by Sigstore. Using a Sigstore bundle (.sigstore) file, Sigstore clients support verifying the artifact completely offline.

> Using offline verification with Sigstore requires disabling root of trust updates and “pinning” a root of trust in a file to use during verification.

> [...]

> Offline verification also makes revocation checks impossible, but this is similar to PGP’s model where revocation of keys requires an online lookup.

How does this compare to CRL and OCSP for key revocation?

Fairly certain this just reinvents the wheel with less years of review

Synchronizing CT Certificate Transparency logs to browsers is apparently considered infeasible. Merkle Certificates may help with this too?