Hello all,
Marina Moore and I have co-authored TAP-17 which proposes removing the
descriptions of file and key formats from the specification, and instead
replaces it with certain properties that any TUF implementations must
provide in their signature wrappers. Further, we propose a change to
POUF-1, which describes the reference implementation, that would switch
the implementation to using v1.0 of DSSE. DSSE has several advantages
over the signature wrapper currently used by TUF such as:
* it does not require canonicalization for verification => there is no
need to parse the document pre-verification
* it includes an authenticated payload type field that can be used to
avoid confusion attacks
* supports arbitrary payload encodings, and not just JSON
You can find this new specification here:
https://github.com/secure-systems-lab/dsse. And the pull request with
TAP-17 and the changes to POUF-1 are here:
https://github.com/theupdateframework/taps/pull/138.
Note that a similar change is coming to TUF's sister project, in-toto,
through ITE-5:
https://github.com/in-toto/ITE/blob/master/ITE/5/README.adoc.
We're looking for feedback that folks may have on these proposed
changes. Please reach out to us with any thoughts or questions you may have.
Thanks!
Aditya Sirish