|
1 | | -* POUF: 1 |
2 | | -* Title: Reference Implementation Using Canonical JSON |
3 | | -* Version: 2 |
4 | | -* Last-Modified: 06-May-2020 |
| 1 | +*" POUF: 1 |
| 2 | +* Title: Reference Implementation Using Canonical JSON and DSSE |
| 3 | +* Version: 3 |
| 4 | +* Last-Modified: 21-Jun-2021 |
5 | 5 | * Author: Marina Moore, Joshua Lock |
6 | 6 | * Status: Draft |
7 | 7 | * TUF Version Implemented: 1.0 |
8 | | -* Implementation Version(s) Covered: v0.12.* |
| 8 | +* Implementation Version(s) Covered: TODO |
9 | 9 | * Content-Type: text/markdown |
10 | 10 | * Created: 25-November-2018 |
11 | 11 |
|
@@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed: |
67 | 67 | # Formats |
68 | 68 |
|
69 | 69 | ## General Principals |
70 | | -All signed metadata objects have the format: |
71 | | - |
72 | | - { "signed" : ROLE, |
73 | | - "signatures" : [ |
74 | | - { "keyid" : KEYID, |
75 | | - "sig" : SIGNATURE } |
76 | | - , ... ] |
| 70 | +All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec): |
| 71 | + |
| 72 | + { |
| 73 | + "payload": "<Base64(SERIALIZED_BODY)>", |
| 74 | + "payloadType": "<PAYLOAD_TYPE>", |
| 75 | + "signatures": [{ |
| 76 | + "keyid": "<KEYID>", |
| 77 | + "sig": "<Base64(SIGNATURE)>" |
| 78 | + }] |
77 | 79 | } |
78 | 80 |
|
79 | | - |
80 | 81 | where: |
81 | 82 |
|
82 | | - * ROLE is a dictionary whose "_type" field describes the role type. |
| 83 | + * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type. |
| 84 | + |
| 85 | + * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata. |
83 | 86 |
|
84 | 87 | * KEYID is the identifier of the key signing the ROLE dictionary. |
85 | 88 |
|
@@ -347,7 +350,7 @@ The timestamp file is signed by a timestamp key. It indicates the |
347 | 350 | "hashes" : HASHES } |
348 | 351 | , ... |
349 | 352 | } |
350 | | - |
| 353 | +t |
351 | 354 | METAPATH is the the snapshot metadata file's path on the repository |
352 | 355 | relative to the metadata base URL. |
353 | 356 |
|
@@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef |
406 | 409 |
|
407 | 410 | # Version History |
408 | 411 |
|
| 412 | +## 3 |
| 413 | +Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata. |
| 414 | + |
409 | 415 | ## 2 |
410 | 416 | Updated to reflect the latest (v0.12.2) reference implementation. |
411 | 417 | * snapshot.json lists only the top-level and delegated targets metadata |
412 | 418 | * timestamp.json includes hashes and length of snapshot.json |
| 419 | + { "signed" : ROLE, |
| 420 | + "signatures" : [ |
| 421 | + { "keyid" : KEYID, |
| 422 | + "sig" : SIGNATURE } |
| 423 | + , ... ] |
| 424 | + } |
| 425 | + |
| 426 | + |
| 427 | + where: |
| 428 | + |
| 429 | + * ROLE is a dictionary whose "_type" field describes the role type. |
| 430 | + |
| 431 | + * KEYID is the identifier of the key signing the ROLE dictionary. |
| 432 | + |
| 433 | + * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE. |
0 commit comments