From 56e750241db431c9a052646de295a324fbc17347 Mon Sep 17 00:00:00 2001 From: Aditya Sirish Date: Mon, 21 Jun 2021 13:52:22 -0400 Subject: [PATCH] Remove POUF-2; Update POUF-1 with DSSE changes Signed-off-by: Aditya Sirish --- POUFs/pouf2.md | 66 ----------------------------------- POUFs/reference-POUF/pouf1.md | 51 +++++++++++++++++++-------- 2 files changed, 36 insertions(+), 81 deletions(-) delete mode 100644 POUFs/pouf2.md diff --git a/POUFs/pouf2.md b/POUFs/pouf2.md deleted file mode 100644 index 6e8a3afb..00000000 --- a/POUFs/pouf2.md +++ /dev/null @@ -1,66 +0,0 @@ -* POUF: 2 -* Title: Reference Implementation Using DSSE -* Version: 1 -* Last-Modified: 09-Jun-2021 -* Author: Aditya Sirish A Yelgundhalli -* Status: Draft -* TUF Version Implemented: -* Implementation Version(s) Covered: -* Content-Type: text/markdown -* Created: 09-Jun-2021 - -# Abstract - -This POUF describes a proposal to switch the TUF reference implementation maintained by NYU to using Dead Simple Signing Envelope (DSSE). - -# Protocol - -Refer to POUF-1. - -# Operations - -Refer to POUF-1. - -# Usage - -Refer to POUF-1. - -# Formats - -## General Principals - -All signed metadata objects have the format defined in DSSE v1: - - { - "payload": "", - "payloadType": "", - "signatures": [{ - "keyid": "", - "sig": "" - }] - } - - where: - - * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type. - - * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json identifying it as TUF metadata. - - * KEYID is the identifier of the key signing the ROLE dictionary. - - * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE. - -For key formats, refer to POUF-1. - - -## File Formats - -Refer to POUF-1. - -# Security Audit - -The parts of this profile borrowed from POUF-1 were included in TUF security audits available at https://theupdateframework.github.io/audits.html. The new signature wrapper has not yet been audited. - -# Version History - -N/A \ No newline at end of file diff --git a/POUFs/reference-POUF/pouf1.md b/POUFs/reference-POUF/pouf1.md index b4b8c67a..b4ac604c 100644 --- a/POUFs/reference-POUF/pouf1.md +++ b/POUFs/reference-POUF/pouf1.md @@ -1,11 +1,11 @@ -* POUF: 1 -* Title: Reference Implementation Using Canonical JSON -* Version: 2 -* Last-Modified: 06-May-2020 +*" POUF: 1 +* Title: Reference Implementation Using Canonical JSON and DSSE +* Version: 3 +* Last-Modified: 21-Jun-2021 * Author: Marina Moore, Joshua Lock * Status: Draft * TUF Version Implemented: 1.0 -* Implementation Version(s) Covered: v0.12.* +* Implementation Version(s) Covered: TODO * Content-Type: text/markdown * Created: 25-November-2018 @@ -14,7 +14,7 @@ This POUF describes the protocol, operations, usage, and formats for the TUF ref The reference implementation includes all required features of the TUF standard, as well as many of the optional features as a reference for anyone wishing to implement TUF. The implementation uses Canonical JSON encoding. -This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES. +This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES. TODO: update this bit # Protocol @@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed: # Formats ## General Principals -All signed metadata objects have the format: - - { "signed" : ROLE, - "signatures" : [ - { "keyid" : KEYID, - "sig" : SIGNATURE } - , ... ] +All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec): + + { + "payload": "", + "payloadType": "", + "signatures": [{ + "keyid": "", + "sig": "" + }] } - where: - * ROLE is a dictionary whose "_type" field describes the role type. + * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type. + + * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata. * KEYID is the identifier of the key signing the ROLE dictionary. @@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef # Version History +## 3 +Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata. + ## 2 Updated to reflect the latest (v0.12.2) reference implementation. * snapshot.json lists only the top-level and delegated targets metadata * timestamp.json includes hashes and length of snapshot.json + { "signed" : ROLE, + "signatures" : [ + { "keyid" : KEYID, + "sig" : SIGNATURE } + , ... ] + } + + + where: + + * ROLE is a dictionary whose "_type" field describes the role type. + + * KEYID is the identifier of the key signing the ROLE dictionary. + + * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE. \ No newline at end of file