Skip to content

Can delegated targets public keys be found in the root metadata? #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
erickt opened this issue Nov 5, 2019 · 5 comments · Fixed by #60
Closed

Can delegated targets public keys be found in the root metadata? #58

erickt opened this issue Nov 5, 2019 · 5 comments · Fixed by #60
Labels
question

Comments

@erickt
Copy link
Contributor

erickt commented Nov 5, 2019

In section 4.4.5, is it allowed for TUF clients to find the public keys in the root metadata, or is it required that the keys only be found in the targets (or delegated targets) metadata?
@trishankatdatadog
Copy link
Member

Only the keys for the top-level roles (root, timestamp, snapshot, and targets) are to be trusted from the root role metadata. The rest of the keys come from targets and delegated friends.

Does this answer your question, Eric? Also, what is the context here, please?

@erickt
Copy link
Contributor Author

erickt commented Nov 6, 2019

@trishankatdatadog Thanks! This came from rust-tuf's implementation of resolving a key id to a public key structure. I wanted to see if we should be incorporating the keys listed in the root metadata when trying to find a key. I wasn't sure what we should do if some delegated foo role was signed with a root metadata key, but the key wasn't listed in the targets other intermediate delegated metadata. It sounds like this should be treated as an error, rather than accepting the metadata has a valid signature.

@trishankatdatadog
Copy link
Member

Yeah, it definitely sounds like an error to me.

Ideally, the keys used to verify a metadata file should be scoped. What I mean is that there shouldn't internally be a global map of keys. So even if the root metadata file and some other delegated targets metadata file shared the same keyids, it really shouldn't matter. All top-level role metadata should be scoped to trust only pubkeys from the root metadata, and any delegated targets role metadata should be scoped to trust only pubkeys from the originating delegation in the graph being traversed.

Does this make sense?

@lukpueh
Copy link
Member

lukpueh commented Nov 7, 2019

IMO the spec makes it quite clear that the keys in root.json are for the top-level roles. However, it never mentions explicitly where keys for delegated targets roles are defined.

I have a pending PR that adopts the TAP 3 (multi-role delegation) metadata format, where I describe the keys field of a delegating targets role. @erickt do you think that is sufficient to close this issue?

Alternatively/Additionally, we could add a sentence to 3.1.2.1 Metadata files for targets delegation, that makes it clear that delegated target roles are authorized by the keys listed in the directly delegating target role.

@erickt
Copy link
Contributor Author

erickt commented Nov 7, 2019

@lukpueh Adding a sentence to 3.1.2.1 would be helpful. It might be a little redundant with your TAP 3, but I don't think it hurts to re-state how this should work. I can whip up a sentence for consideration. Thanks!

erickt added a commit to erickt/tuf-specification that referenced this issue Nov 7, 2019
@erickt
delegated targets are authorized by keys in the delegating target roles
475025d 
This extends the spec to clarify that when searching for the key that
signed a delegated role, that key should only be found in the delegating
target, and not any other role in the delegation chain. This incorporates
language suggested by lukpueh in theupdateframework#58, and the definition of the keys
field from [TAP 3](theupdateframework#57).

Closes theupdateframework#58
This was referenced Nov 7, 2019
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

delegated targets are authorized by keys in the delegating target roles erickt/tuf-specification
3 participants
@erickt @lukpueh @trishankatdatadog