Remove POUF-2; Update POUF-1 with DSSE changes

Signed-off-by: Aditya Sirish <[email protected]>
theupdateframework · Jun 21, 2021 · c80aefe · c80aefe
1 parent 4cbb8d5
commit c80aefe
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 81 deletions.
diff --git a/POUFs/pouf2.md b/POUFs/pouf2.md
diff --git a/POUFs/reference-POUF/pouf1.md b/POUFs/reference-POUF/pouf1.md
@@ -1,11 +1,11 @@
-* POUF: 1
-* Title: Reference Implementation Using Canonical JSON
-* Version: 2
-* Last-Modified: 06-May-2020
+*" POUF: 1
+* Title: Reference Implementation Using Canonical JSON and DSSE
+* Version: 3
+* Last-Modified: 21-Jun-2021
 * Author: Marina Moore, Joshua Lock
 * Status: Draft
 * TUF Version Implemented: 1.0
-* Implementation Version(s) Covered: v0.12.*
+* Implementation Version(s) Covered: TODO
 * Content-Type: text/markdown
 * Created: 25-November-2018
 
@@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed:
 # Formats
 
 ## General Principals
-All signed metadata objects have the format:
-
-       { "signed" : ROLE,
-         "signatures" : [
-            { "keyid" : KEYID,
-              "sig" : SIGNATURE }
-            , ... ]
+All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec):
+
+       {
+         "payload": "<Base64(SERIALIZED_BODY)>",
+         "payloadType": "<PAYLOAD_TYPE>",
+         "signatures": [{
+           "keyid": "<KEYID>",
+           "sig": "<Base64(SIGNATURE)>"
+         }]
        }
 
-
    where:
 
-          * ROLE is a dictionary whose "_type" field describes the role type.
+          * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type.
+
+          * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata.
 
           * KEYID is the identifier of the key signing the ROLE dictionary.
 
@@ -347,7 +350,7 @@ The timestamp file is signed by a timestamp key.  It indicates the
                "hashes" : HASHES }
            , ...
          }
-
+t
      METAPATH is the the snapshot metadata file's path on the repository
      relative to the metadata base URL.
 
@@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef
 
 # Version History
 
+## 3
+Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata.
+
 ## 2
 Updated to reflect the latest (v0.12.2) reference implementation.
 * snapshot.json lists only the top-level and delegated targets metadata
 * timestamp.json includes hashes and length of snapshot.json
+       { "signed" : ROLE,
+         "signatures" : [
+            { "keyid" : KEYID,
+              "sig" : SIGNATURE }
+            , ... ]
+       }
+
+
+   where:
+
+          * ROLE is a dictionary whose "_type" field describes the role type.
+
+          * KEYID is the identifier of the key signing the ROLE dictionary.
+
+          * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE.