Remove POUF-2; Update POUF-1 with DSSE changes

Signed-off-by: Aditya Sirish <[email protected]>
theupdateframework · Jun 21, 2021 · 56e7502 · 56e7502
1 parent 4cbb8d5
commit 56e7502
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 81 deletions.
diff --git a/POUFs/pouf2.md b/POUFs/pouf2.md
diff --git a/POUFs/reference-POUF/pouf1.md b/POUFs/reference-POUF/pouf1.md
@@ -1,11 +1,11 @@
-* POUF: 1
-* Title: Reference Implementation Using Canonical JSON
-* Version: 2
-* Last-Modified: 06-May-2020
+*" POUF: 1
+* Title: Reference Implementation Using Canonical JSON and DSSE
+* Version: 3
+* Last-Modified: 21-Jun-2021
 * Author: Marina Moore, Joshua Lock
 * Status: Draft
 * TUF Version Implemented: 1.0
-* Implementation Version(s) Covered: v0.12.*
+* Implementation Version(s) Covered: TODO
 * Content-Type: text/markdown
 * Created: 25-November-2018
 
@@ -14,7 +14,7 @@ This POUF describes the protocol, operations, usage, and formats for the TUF ref
 
 The reference implementation includes all required features of the TUF standard, as well as many of the optional features as a reference for anyone wishing to implement TUF. The implementation uses Canonical JSON encoding.
 
-This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES.
+This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES. TODO: update this bit
 
 # Protocol
 
@@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed:
 # Formats
 
 ## General Principals
-All signed metadata objects have the format:
-
-       { "signed" : ROLE,
-         "signatures" : [
-            { "keyid" : KEYID,
-              "sig" : SIGNATURE }
-            , ... ]
+All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec):
+
+       {
+         "payload": "<Base64(SERIALIZED_BODY)>",
+         "payloadType": "<PAYLOAD_TYPE>",
+         "signatures": [{
+           "keyid": "<KEYID>",
+           "sig": "<Base64(SIGNATURE)>"
+         }]
        }
 
-
    where:
 
-          * ROLE is a dictionary whose "_type" field describes the role type.
+          * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type.
+
+          * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata.
 
           * KEYID is the identifier of the key signing the ROLE dictionary.
 
@@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef
 
 # Version History
 
+## 3
+Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata.
+
 ## 2
 Updated to reflect the latest (v0.12.2) reference implementation.
 * snapshot.json lists only the top-level and delegated targets metadata
 * timestamp.json includes hashes and length of snapshot.json
+       { "signed" : ROLE,
+         "signatures" : [
+            { "keyid" : KEYID,
+              "sig" : SIGNATURE }
+            , ... ]
+       }
+
+
+   where:
+
+          * ROLE is a dictionary whose "_type" field describes the role type.
+
+          * KEYID is the identifier of the key signing the ROLE dictionary.
+
+          * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE.