Clarify if "signatures" can be extended #203
Comments
This was referenced Jan 27, 2022
|
I don't think we should allow it. There are use cases in DSSE where you may want additional fields, but arguments remain open: Let's clarify the spec to reflect this. |
|
@mnm678, @asraa and @jku shared their opinions on the I initially thought it's applicable only to the SIGNED fields as I am no longer certain there is a need for any clarification... I will close the issue and if somebody thinks I am mistaken, please share why and I will reopen it. |
MVrachev
added a commit
to MVrachev/securesystemslib
that referenced
this issue
Feb 9, 2022
The TUF specification says the following regarding unknown fields: "All of the formats described below include the ability to add more attribute-value fields to objects for backward-compatible format changes. Implementers who encounter undefined attribute-value pairs in the format must include the data when calculating hashes or verifying signatures and must preserve the data when re-serializing." From: https://theupdateframework.github.io/specification/latest/#document-formats This section is the reason ADR0008 was accepted inside python-tuf (see here: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0008-accept-unrecognised-fields.md) and we have added support for unrecognized fields for all fields inside the SIGNED portion of the metadata. However, this limits what the citation implies or that everywhere there inside the metadata files including signatures we should accept unrecognized fields. That's why I made these changes. These changes have the approval of the community see: - theupdateframework/specification#203 - theupdateframework/python-tuf#1802 Signed-off-by: Martin Vrachev <[email protected]>
MVrachev
added a commit
to MVrachev/securesystemslib
that referenced
this issue
Feb 9, 2022
The TUF specification says the following regarding unknown fields: "All of the formats described below include the ability to add more attribute-value fields to objects for backward-compatible format changes. Implementers who encounter undefined attribute-value pairs in the format must include the data when calculating hashes or verifying signatures and must preserve the data when re-serializing." From: https://theupdateframework.github.io/specification/latest/#document-formats This section is the reason ADR0008 was accepted inside python-tuf (see here: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0008-accept-unrecognised-fields.md) and we have added support for unrecognized fields for all fields inside the SIGNED portion of the metadata. However, this limits what the citation implies or that everywhere there inside the metadata files including signatures we should accept unrecognized fields. That's why I made these changes. These changes have the approval of the community see: - theupdateframework/specification#203 - theupdateframework/python-tuf#1802 Signed-off-by: Martin Vrachev <[email protected]>
3 tasks
MVrachev
added a commit
to MVrachev/securesystemslib
that referenced
this issue
Feb 9, 2022
The TUF specification says the following regarding unknown fields: "All of the formats described below include the ability to add more attribute-value fields to objects for backward-compatible format changes. Implementers who encounter undefined attribute-value pairs in the format must include the data when calculating hashes or verifying signatures and must preserve the data when re-serializing." From: https://theupdateframework.github.io/specification/latest/#document-formats This section is the reason ADR0008 was accepted inside python-tuf (see here: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0008-accept-unrecognised-fields.md) and we have added support for unrecognized fields for all fields inside the SIGNED portion of the metadata. However, this limits what the citation implies or that everywhere there inside the metadata files including signatures we should accept unrecognized fields. That's why I made these changes. These changes have the approval of the community see: - theupdateframework/specification#203 - theupdateframework/python-tuf#1802 Another change I had to do, so I can add unrecognized fields support inside Signature is to make "Signature.from_dict()" to behave the same way as the rest of the "from_dict()" functions inside TUF or destroy the input dictionary. This was necessary, as that provides me with an easy way to pass the unrecognized fields to the constructor. Signed-off-by: Martin Vrachev <[email protected]>
MVrachev
added a commit
to MVrachev/securesystemslib
that referenced
this issue
Feb 9, 2022
The TUF specification says the following regarding unknown fields: "All of the formats described below include the ability to add more attribute-value fields to objects for backward-compatible format changes. Implementers who encounter undefined attribute-value pairs in the format must include the data when calculating hashes or verifying signatures and must preserve the data when re-serializing." From: https://theupdateframework.github.io/specification/latest/#document-formats This section is the reason ADR0008 was accepted inside python-tuf (see here: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0008-accept-unrecognised-fields.md) and we have added support for unrecognized fields for all fields inside the SIGNED portion of the metadata. However, this limits what the citation implies or that everywhere there inside the metadata files including signatures we should accept unrecognized fields. That's why I made these changes. These changes have the approval of the community see: - theupdateframework/specification#203 - theupdateframework/python-tuf#1802 Another change I had to do, so I can add unrecognized fields support inside Signature is to make "Signature.from_dict()" to behave the same way as the rest of the "from_dict()" functions inside TUF or destroy the input dictionary. This was necessary, as that provides me with an easy way to pass the unrecognized fields to the constructor. Signed-off-by: Martin Vrachev <[email protected]>
This was referenced Feb 9, 2022
MVrachev
added a commit
to MVrachev/securesystemslib
that referenced
this issue
Feb 16, 2022
The TUF specification says the following regarding unknown fields: "All of the formats described below include the ability to add more attribute-value fields to objects for backward-compatible format changes. Implementers who encounter undefined attribute-value pairs in the format must include the data when calculating hashes or verifying signatures and must preserve the data when re-serializing." From: https://theupdateframework.github.io/specification/latest/#document-formats This section is the reason ADR0008 was accepted inside python-tuf (see here: https://github.com/theupdateframework/python-tuf/blob/develop/docs/adr/0008-accept-unrecognised-fields.md) and we have added support for unrecognized fields for all fields inside the SIGNED portion of the metadata. However, this limits what the citation implies or that everywhere there inside the metadata files including signatures we should accept unrecognized fields. That's why I made these changes. These changes have the approval of the community see: - theupdateframework/specification#203 - theupdateframework/python-tuf#1802 Another change I had to do, so I can add unrecognized fields support inside Signature is to make "Signature.from_dict()" to behave the same way as the rest of the "from_dict()" functions inside TUF or destroy the input dictionary. This was necessary, as that provides me with an easy way to pass the unrecognized fields to the constructor. Signed-off-by: Martin Vrachev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Document formats section of the specification says the following:
This implies that the specification implementations should support unrecognized fields at each place in the SIGNED portion as they will be used to calculate the hashes or do signature verification.
It's a little unclear for me if unrecognized fields are allowed in the signatures dictionaries.
Any opinions?
The text was updated successfully, but these errors were encountered: