Hi Prashanth,
Thanks for the kind words and your questions. The 'keyid_hash_algorithms' field
only exists in the reference implementation, and not in the TUF specification.
There is an ongoing discussion about the use of this field [1] and the related
issues, and there is also a draft TAP that proposes a more flexible way of
handling keyids in TUF metadata [2], which was motivated by this discussion.
I hope this helps.
Thanks,
Lukas
[1]
https://github.com/theupdateframework/tuf/issues/848
[2]
https://github.com/theupdateframework/taps/blob/master/tap12.md
On 17.07.2020 12:31 PM, Prashanth M wrote:
> Hi folks,
>
> I am sort of new to TUF; by 'sort of' I mean that I have been reading up on
> TUF for a while now but haven't been able to devote enough time to gain a
> good understanding. Got some time recently and read up a bit on TUF and I
> have some questions, but before I ask them, I would like to say thanks to
> the TUF team for the time and effort you all have put in towards developing
> TUF. I think that this framework addresses a major gap and I hope that it
> catches on widely.
>
> Here's my question. Has the "keyid_hash_algorithms" metadata attribute been
> removed from the latest TUF Specification (1.0.4)?
>
> I am a bit confused because I cannot find it either in root.json or
> targets.json examples in the TUF specification version 1.0.4 page at
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_specification_blob_master_tuf-2Dspec.md&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=z9Bfm5pwHZzIiNa4C6jCe-gjoyvHdSrIJVkQrCeIOoU&s=40YKij0LkrgZo7wyr9x1dyxGhqI8rGq9WKJSilMxyG4&e= .
>
> However I can see this attribute in two other places:
> 1) In the metadata examples given in
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_tuf_blob_develop_docs_METADATA.md&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=z9Bfm5pwHZzIiNa4C6jCe-gjoyvHdSrIJVkQrCeIOoU&s=H9LJHGx9Xrs5hVhZpim0gYQfFOCo-1TSWXqcyWewdog&e= .
> 2) After installing TUF using pip and creating a basic repository using
> 'repo.py --init' command, I can see the attribute in all the root.json
> files under tufclient and tufrepo directories.
>
> Has the attribute been removed from the latest 1.0.4 spec? If yes, then
> does this mean that the other two places I have listed above are yet to be
> updated to conform to 1.0.4 spec?
>
> Regards
> Prashanth
>
--
lukas.pu...@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8