Adopt TAP 3 multi-role delegations metadata format #57
Conversation
There was a problem hiding this comment.
Here are a few things I noted while adopting TAP3 metadata format. I'd appreciate thoughts (cc @JustinCappos, @mnm678, @SantiagoTorres).
tuf-spec.md
Outdated
| @@ -790,7 +790,10 @@ repo](https://github.com/theupdateframework/specification/issues). | |||
| "version" : VERSION, | |||
| "expires" : EXPIRES, | |||
| "targets" : TARGETS, | |||
| ("delegations" : DELEGATIONS) | |||
| ("keys_for_delegations" : { | |||
There was a problem hiding this comment.
Wouldn't it be enough to just call this keys?
There was a problem hiding this comment.
IMHO this field should be under delegations, but then delegations would have to remain a dictionary and we'd have to find another name for the list that contains all the delegations...
There was a problem hiding this comment.
I think we should keep the keys separate for clarity.
There was a problem hiding this comment.
Okay, keeping it separate works for me. And what about my suggestion to call it keys only? Because the keys field in root.json in reality also lists "keys for delegations", i.e. keys to delegate trust to other top-level roles, but is only called keys.
There was a problem hiding this comment.
Calling it keys to match root.json makes sense.
tuf-spec.md
Outdated
| "paths" : [ PATHPATTERN, ... ]), | ||
| "terminating": TERMINATING, | ||
| "min_roles_in_agreement" : NUM_ROLES, | ||
| "roleinfo": [{ |
There was a problem hiding this comment.
Prior to TAP 3 delegated roles were listed in the roles field. Should we keep that name?
There was a problem hiding this comment.
I like roles, it makes it clear that there can be multiple roles
| ("path_hash_prefixes" : [ HEX_DIGEST, ... ] | | ||
| "paths" : [ PATHPATTERN, ... ]), | ||
| "terminating": TERMINATING, | ||
| "min_roles_in_agreement" : NUM_ROLES, |
There was a problem hiding this comment.
This was probably named min_roles_in_agreement to distinguish it from the signature threshold field. But I find it odd that one threshold field has such a specific name and the other one is generic.
Maybe the scope (delegation vs. role) is disambiguation enough and we can both call threshold?
There was a problem hiding this comment.
maybe delegation_threshold?
There was a problem hiding this comment.
The field is a property of the delegation object. Addressing it as delegation.delegation_threshold seems like unnecessary redundancy.
There was a problem hiding this comment.
I agree. Let's just call it threshold.
There was a problem hiding this comment.
That was the reasoning, yes (distinguishing it from the other threshold). If you think it'll not be confused, then it's nice to set it to something simple.
There was a problem hiding this comment.
Thinking about it some more, it does make sense to distinguish it from the other threshold. Ideally, we'd have equally specific names for both, e.g. role.min_keys_in_agreement and delegation.min_roles_in_agreement or role.signature_threshold and delegation.role_threshold.
Is renaming the existing threshold field an option? Is it worthwhile? This will be is a breaking change anyway. :)
Until then I'll just leave it as threshold and min_roles_in_agreement.
| { | ||
| "name": DELEGATION_NAME, | ||
| ("path_hash_prefixes" : [ HEX_DIGEST, ... ] | | ||
| "paths" : [ PATHPATTERN, ... ]), |
There was a problem hiding this comment.
TAP 3 only mentions paths, but I guess we still want to support path_hash_prefixes?
There was a problem hiding this comment.
yes, especially for PEP 458
|
Interestingly, the client workflow had already mentioned multi-role delegation (prior to this PR). b46dc5e adds some clarification about the role threshold ( |
|
Do we consider backwards-compatibility? If not, why not? |
tuf-spec.md
Outdated
| @@ -790,7 +790,10 @@ repo](https://github.com/theupdateframework/specification/issues). | |||
| "version" : VERSION, | |||
| "expires" : EXPIRES, | |||
| "targets" : TARGETS, | |||
| ("delegations" : DELEGATIONS) | |||
| ("keys_for_delegations" : { | |||
There was a problem hiding this comment.
I think we should keep the keys separate for clarity.
| ("path_hash_prefixes" : [ HEX_DIGEST, ... ] | | ||
| "paths" : [ PATHPATTERN, ... ]), | ||
| "terminating": TERMINATING, | ||
| "min_roles_in_agreement" : NUM_ROLES, |
There was a problem hiding this comment.
maybe delegation_threshold?
tuf-spec.md
Outdated
| "paths" : [ PATHPATTERN, ... ]), | ||
| "terminating": TERMINATING, | ||
| "min_roles_in_agreement" : NUM_ROLES, | ||
| "roleinfo": [{ |
There was a problem hiding this comment.
I like roles, it makes it clear that there can be multiple roles
tuf-spec.md
Outdated
| recursively visit each role, and check that each has signed exactly the | ||
| same non-custom metadata (i.e., length and hashes) about the target (or | ||
| the lack of any such metadata). | ||
| recursively visit each role, and check that a defined threshold of |
There was a problem hiding this comment.
where does this threshold come from?
If yes, we would need to change the spec to version 2.0.0. However, we have previously stated that TAP 3 is part of TUF 1.0.0. I think for now we should include this change in 1.0.0. |
This PR is not the right place to ask these questions. This PR only restores consistency with backwards incompatible changes that have already been made. That is, claiming that the spec supports TAP 3 and TAP 4 (see #51). If 1.0.0 of the spec should not break backwards compatibility, then we must revert those claims. But I agree with @mnm678 that we should get this (and TAP 4) into the spec now, and then make a formal 1.0.0 release. 1.0.0 will also help us to lead a more structured discussion about backwards compatibility (#33 has not yet been resolved!). Independently, and I think that's the operational concern here (@trishankatdatadog?), we can discuss whether python-tuf should remain backwards compatible or not. |
|
I just pushed some renames (3c3b687) as discussed above. This discussion about Also, should we propagate the renames to the actual TAP 3 document? |
This extends the spec to clarify that when searching for the key that signed a delegated role, that key should only be found in the delegating target, and not any other role in the delegation chain. This incorporates language suggested by lukpueh in theupdateframework#58, and the definition of the keys field from [TAP 3](theupdateframework#57). Closes theupdateframework#58
lukpueh
force-pushed
the
adopt-tap3-metadata
branch
from
3c3b687 to
558ab11
Compare
The specification claims that it adheres to TAP 3 and TAP 4, which is not the case. TAP 3 requires changes to the existing metadata format (prepared in theupdateframework#57) and TAP 4 adds a new metadata file (map.json), which is not yet mentioned in the specification (issue described in theupdateframework#88). As agreed in the TUF community meeting on Dec 10, 2019, we remove TAP 3 and TAP 4 (adherence claims), for a formal 1.0.0 release and add TAP 4 in version 1.1.x and TAP 3 in version 2.x.x. (see meeting notes about "Versioning" https://groups.google.com/forum/#!msg/theupdateframework/oPTliXibT_4/0tJ_POLGAwAJ)
|
As discussed in the TUF community meeting on Dec 10, 2019 the changes of this PR require a major bump of the spec version (see meeting notes about "Versioning" ). |
Update "4.5. File formats: targets.json and delegated target roles" to reflect metadata format introduced by TAP 3
Clarify in step 4.5.2.1 of the client workflow that in a multi-role delegation not each but rather a defined threshold of roles must agree on the target hashes and lengths (see `min_roles_in_agreement`).
`keys_for_delegations` --> `keys` (the keys field in root.json in reality also lists "keys for delegations", i.e. keys to delegate trust to other top-level roles, but is only called keys) `roleinfo` --> `roles` (keeping the name for delegated roles as it was before TAP3)
lukpueh
force-pushed
the
adopt-tap3-metadata
branch
from
558ab11 to
3962417
Compare
|
Note: We will merge this PR into |
There was a problem hiding this comment.
I think this looks good as the first pr for version 2.0.0. Could someone with write access merge this into draft (and possibly give me write access)? @trishankatdatadog @JustinCappos
Thanks for the review! |
Update section "4.5. File formats: targets.json and delegated target roles" to reflect metadata format introduced by TAP 3.
Note that TAP 3 is not implemented in the reference implementation, which claims to be spec 1.0.0 conformant!