Skip to content

Commit

Permalink
Remove POUF-2; Update POUF-1 with DSSE changes
Browse files Browse the repository at this point in the history
Signed-off-by: Aditya Sirish <aditya@saky.in>
  • Loading branch information
adityasaky committed Jun 22, 2021
1 parent 4cbb8d5 commit d75d24d
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 80 deletions.
66 changes: 0 additions & 66 deletions POUFs/pouf2.md

This file was deleted.

49 changes: 35 additions & 14 deletions POUFs/reference-POUF/pouf1.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
* POUF: 1
* Title: Reference Implementation Using Canonical JSON
* Version: 2
* Last-Modified: 06-May-2020
* Title: Reference Implementation Using Canonical JSON and DSSE
* Version: 3
* Last-Modified: 21-Jun-2021
* Author: Marina Moore, Joshua Lock
* Status: Draft
* TUF Version Implemented: 1.0
* Implementation Version(s) Covered: v0.12.*
* Implementation Version(s) Covered: TODO
* Content-Type: text/markdown
* Created: 25-November-2018

Expand All @@ -14,7 +14,7 @@ This POUF describes the protocol, operations, usage, and formats for the TUF ref

The reference implementation includes all required features of the TUF standard, as well as many of the optional features as a reference for anyone wishing to implement TUF. The implementation uses Canonical JSON encoding.

This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES.
This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES. TODO: update this bit

# Protocol

Expand Down Expand Up @@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed:
# Formats

## General Principals
All signed metadata objects have the format:

{ "signed" : ROLE,
"signatures" : [
{ "keyid" : KEYID,
"sig" : SIGNATURE }
, ... ]
All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec):

{
"payload": "<Base64(SERIALIZED_BODY)>",
"payloadType": "<PAYLOAD_TYPE>",
"signatures": [{
"keyid": "<KEYID>",
"sig": "<Base64(SIGNATURE)>"
}]
}


where:

* ROLE is a dictionary whose "_type" field describes the role type.
* SERIALIZED_BODY is a dictionary whose "_type" field describes the role type.

* PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata.

* KEYID is the identifier of the key signing the ROLE dictionary.

Expand Down Expand Up @@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef

# Version History

## 3
Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata.

## 2
Updated to reflect the latest (v0.12.2) reference implementation.
* snapshot.json lists only the top-level and delegated targets metadata
* timestamp.json includes hashes and length of snapshot.json
{ "signed" : ROLE,
"signatures" : [
{ "keyid" : KEYID,
"sig" : SIGNATURE }
, ... ]
}


where:

* ROLE is a dictionary whose "_type" field describes the role type.

* KEYID is the identifier of the key signing the ROLE dictionary.

* SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE.

0 comments on commit d75d24d

Please sign in to comment.