"keyid_hash_algorithms" attribute removed from TUF Spec 1.0.4 onwards?
22 views
Skip to first unread message
Prashanth M
Jul 17, 2020, 6:31:13 AM7/17/20
to The Update Framework (TUF)
Hi folks,
I am sort of new to TUF; by 'sort of' I mean that I have been reading up on TUF for a while now but haven't been able to devote enough time to gain a good understanding. Got some time recently and read up a bit on TUF and I have some questions, but before I ask them, I would like to say thanks to the TUF team for the time and effort you all have put in towards developing TUF. I think that this framework addresses a major gap and I hope that it catches on widely.
Here's my question. Has the "keyid_hash_algorithms" metadata attribute been removed from the latest TUF Specification (1.0.4)?
I am a bit confused because I cannot find it either in root.json or targets.json examples in the TUF specification version 1.0.4 page at https://github.com/theupdateframework/specification/blob/master/tuf-spec.md.
However I can see this attribute in two other places:
1) In the metadata examples given in https://github.com/theupdateframework/tuf/blob/develop/docs/METADATA.md.
2) After installing TUF using pip and creating a basic repository using 'repo.py --init' command, I can see the attribute in all the root.json files under tufclient and tufrepo directories.
Has the attribute been removed from the latest 1.0.4 spec? If yes, then does this mean that the other two places I have listed above are yet to be updated to conform to 1.0.4 spec?
Regards
Prashanth
Lukas Puehringer
Jul 17, 2020, 6:41:26 AM7/17/20
to theupdate...@googlegroups.com
Hi Prashanth,
Thanks for the kind words and your questions. The 'keyid_hash_algorithms' field
only exists in the reference implementation, and not in the TUF specification.
There is an ongoing discussion about the use of this field [1] and the related
issues, and there is also a draft TAP that proposes a more flexible way of
handling keyids in TUF metadata [2], which was motivated by this discussion.
I hope this helps.
Thanks,
Lukas
[1] https://github.com/theupdateframework/tuf/issues/848
[2] https://github.com/theupdateframework/taps/blob/master/tap12.md
On 17.07.2020 12:31 PM, Prashanth M wrote:
> Hi folks,
>
> I am sort of new to TUF; by 'sort of' I mean that I have been reading up on
> TUF for a while now but haven't been able to devote enough time to gain a
> good understanding. Got some time recently and read up a bit on TUF and I
> have some questions, but before I ask them, I would like to say thanks to
> the TUF team for the time and effort you all have put in towards developing
> TUF. I think that this framework addresses a major gap and I hope that it
> catches on widely.
>
> Here's my question. Has the "keyid_hash_algorithms" metadata attribute been
> removed from the latest TUF Specification (1.0.4)?
>
> I am a bit confused because I cannot find it either in root.json or
> targets.json examples in the TUF specification version 1.0.4 page at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_specification_blob_master_tuf-2Dspec.md&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=z9Bfm5pwHZzIiNa4C6jCe-gjoyvHdSrIJVkQrCeIOoU&s=40YKij0LkrgZo7wyr9x1dyxGhqI8rGq9WKJSilMxyG4&e= .
lukas.pu...@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8
Thanks for the kind words and your questions. The 'keyid_hash_algorithms' field
only exists in the reference implementation, and not in the TUF specification.
There is an ongoing discussion about the use of this field [1] and the related
issues, and there is also a draft TAP that proposes a more flexible way of
handling keyids in TUF metadata [2], which was motivated by this discussion.
I hope this helps.
Thanks,
Lukas
[1] https://github.com/theupdateframework/tuf/issues/848
[2] https://github.com/theupdateframework/taps/blob/master/tap12.md
On 17.07.2020 12:31 PM, Prashanth M wrote:
> Hi folks,
>
> I am sort of new to TUF; by 'sort of' I mean that I have been reading up on
> TUF for a while now but haven't been able to devote enough time to gain a
> good understanding. Got some time recently and read up a bit on TUF and I
> have some questions, but before I ask them, I would like to say thanks to
> the TUF team for the time and effort you all have put in towards developing
> TUF. I think that this framework addresses a major gap and I hope that it
> catches on widely.
>
> Here's my question. Has the "keyid_hash_algorithms" metadata attribute been
> removed from the latest TUF Specification (1.0.4)?
>
> I am a bit confused because I cannot find it either in root.json or
> targets.json examples in the TUF specification version 1.0.4 page at
>
> However I can see this attribute in two other places:
> 1) In the metadata examples given in
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_tuf_blob_develop_docs_METADATA.md&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=z9Bfm5pwHZzIiNa4C6jCe-gjoyvHdSrIJVkQrCeIOoU&s=H9LJHGx9Xrs5hVhZpim0gYQfFOCo-1TSWXqcyWewdog&e= .
> However I can see this attribute in two other places:
> 1) In the metadata examples given in
> 2) After installing TUF using pip and creating a basic repository using
> 'repo.py --init' command, I can see the attribute in all the root.json
> files under tufclient and tufrepo directories.
>
> Has the attribute been removed from the latest 1.0.4 spec? If yes, then
> does this mean that the other two places I have listed above are yet to be
> updated to conform to 1.0.4 spec?
>
> Regards
> Prashanth
>
--
> 'repo.py --init' command, I can see the attribute in all the root.json
> files under tufclient and tufrepo directories.
>
> Has the attribute been removed from the latest 1.0.4 spec? If yes, then
> does this mean that the other two places I have listed above are yet to be
> updated to conform to 1.0.4 spec?
>
> Regards
> Prashanth
>
lukas.pu...@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8
mulgu...@gmail.com
Jul 17, 2020, 8:10:19 AM7/17/20
to The Update Framework (TUF)
Thanks Lukas!
Will follow the discussion and go through the TAP.
Regards
Prashanth
Reply all
Reply to author
Forward
0 new messages