TUF Community Meeting

Skip to first unread message

Marina Moore

May 15, 2020, 2:50:39 PM5/15/20
to theupdate...@googlegroups.com

I have included the notes from the 4/27 TUF community meeting. In addition, we are planning the next TUF community meeting for the last week of May. Please fill out the doodle poll here: https://doodle.com/poll/gp7gkxe6ybbvuhn8 with your availability that week.

Here are the notes:

Meeting Participants

Marina Moore, Moderator

Sumana Harihareswara, Trishank Kuppusamy, Joshua Lock, Teodora Seechkova, Kay Williams, William Woodruff, Aditya Sirish A Yelgundhalli


Below is a brief summary of the topics discussed in our third TUF Community Meeting,  and any decisions made by the group. 


Canonical JSON

A number of pull requests on the specification, reference implementation, and securesystem lib repository have raised questions about whether Canonical JSON is the correct format for TUF, and have suggested we consider switching to another format that has wider cross-language support. If the former option is chosen, then it was felt we need to be a little more explicit in how this format is expressed. A third possibility was also raised: making the TUF specification a bit more flexible by not specifying any type of wireline format.


As both the pull requests and the discussion at the meeting indicated, current usage of this format is flawed in part because a “standard” representation of Canonical JSON may or may not exist at this point. For example, the version used by Notary is different from what is used by the Reference Implementation.


It was pointed out that IETF is currently drafting a specification that, according to a recent draft found at https://datatracker.ietf.org/doc/draft-rundgren-json-canonicalization-scheme/, “defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON

primitives defined by ECMAScript, constraining JSON data to the  I-JSON subset, and by using deterministic property sorting.” The consensus was that it would make sense to wait and see what comes out of this initiative.


Note that, a week after the meeting, Joshua Lock opened an issue on the TUF mailing list to continue this discussion. Comments can be shared at https://groups.google.com/forum/#!topic/the update framework/xuT5wDA8kh8.


PRs Cited


Canonical JSON may not be valid JSON · #92 · theupdateframework/tuf 

Update JSON canonicalization· #159 · secure-systems-lab/securesystemslib

Canonical JSON is unclear · #457 · theupdateframework/tuf


Refactoring code

Marina Moore noted that there is a need to clean up code in the TUF specification. Of particular concern was code related to key management, and making a proper distinction between roles and delegations. 


Aditya Sirish  and Trishank Kuppusamy both offered to help resolve these issues, as did Marina. Lukas Puhringer is taking paternity leave right now, but he will also likely be involved in this effort when he returns. Anyone interested in working on this can review the PRs listed below.

Roadmap for cli tools: repo.py, client.py · Issue #881 · theupdateframework/tuf

Roles and Delegations are still confused in parts of the implementation · Issue #660 · theupdateframework/tuf      


Key IDs and Hash Algorithms

The last item of discussion looked at the issue of keyIDs and the possibility of creating a more flexible approach to specifying hash algorithms. This issue was recently accepted as draft candidate TAP 12, and can be found at  https://github.com/theupdateframework/taps/blob/master/tap12.md.


Marina observed that having a rigid approach to keyids has not presented any problems at this point, but it does use more space than is necessary for a unique identifier.  The change might create a possible conflict with TAP 3.


Though the consensus was the current proposed TAP dealing with this issue is probably all right, and would not affect backwards capability, there was a bit of discussion about the general question of flexibility at the heart of this TAP. 


Reviews and comments of the draft TAP are welcome.


Next Meeting

The next meeting will be held sometime in late May. Marina will send out a Doodle poll to pick the best date. We hope to involve representatives from other TUF implementations (such as Go Tough, Docker, and Google to share notes on their progress). As the consensus was that it would be useful to learn more about how TUF is being deployed.

We will also investigate using HackMD or a similar program to keep a running transcription of meeting discussions.


Marina Moore

May 20, 2020, 12:58:20 PM5/20/20
to theupdate...@googlegroups.com, William Woodruff, ili...@buttslol.net

The next TUF community meeting will be Wednesday May 27 at 10am ET at https://meet.jit.si/TUFCommunityMeeting. Please let me know if there is anything you would like to discuss with the TUF community or if you have any questions. A draft agenda is available at https://hackmd.io/jdAk9rmPSpOYUdstbIvbjw and will be updated as more agenda items are proposed.

I hope to see you there.

Reply all
Reply to author
0 new messages