timestamps without embedded cert seem to fail

[jku]

Filing this may be a little premature, I don't know the full picture yet...

sigstore/sigstore-conformance#230 contains a test that fails with

not enough timestamps validated to meet the validation threshold

with the reason from rfc3161-client::

Certificates neither found in the answer or in the Verification Options.

The test uses sigstore-python from main (a fairly new commit) and rfc3161-client 1.0.3.

• The bundle timestamp indeed does not contain a certificate at all -- I'm not sure why we are now seeing this sort of timestamps but it is fine by spec
• there is a test in rfc3161-client now for this situation (no embedded cert) and it passes

I think the issue might in how sigstore-python constructs the verifier:

            for certificate in certificates:
                builder.add_root_certificate(certificate)

This seems fishy since the Verifier does handle the signing certificate, root and intermediates separately at least in some places

[jku]

The bundle timestamp indeed does not contain a certificate at all -- I'm not sure why we are now seeing this sort of timestamps but it is fine by spec

Just for future reference: client gets to decide if certs are included. The test data was created with sigstore-java and and the java TSA client code requests no embedded certificates by default.