[TUF] How would timestamps be generated? #29
Replies: 5 comments 1 reply
-
|
With the TUF design, it should be possible to have the timestamp key controlled by a server outside of the registry that pushes signed timestamp files to the registry, given that this server is able to ensure they have the most recent snapshot. This is a little more circuitous than having it controlled by the registry itself, but would require fewer changes to registries. (cc @trishankatdatadog @JustinCappos in case I missed a security implication) On a related note, I started a document to track changes we'd require to the OCI spec to support TUF metadata. |
Beta Was this translation helpful? Give feedback.
-
|
First of all, just to clarify: what do you mean by "timestamping" @sudo-bmitch? Do you mean as in TUF, or as in Windows codesigning? |
Beta Was this translation helpful? Give feedback.
-
|
Timestamping as in the TUF timestamp signature on the snapshot. |
Beta Was this translation helpful? Give feedback.
-
|
I don't see any problem with this given that a map file in TUF can point to
different keys for various roles.
…On Thu, Jan 21, 2021 at 4:19 AM Brandon Mitchell ***@***.***> wrote:
Timestamping as in the TUF timestamp signature on the snapshot.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#29 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD6KE2HZBMITHWWFMMTS243GTANCNFSM4WGR5FEA>
.
|
Beta Was this translation helpful? Give feedback.
-
|
For TUF, combining the notary service with the registry service is convenient but breaks the security model that the registry server is not trusted. |
Beta Was this translation helpful? Give feedback.
-
|
It's more a question of "trusted for what"? Trusted to know the latest
version of a piece of (snapshot) metadata is less impactful than being
trusted to provide the snapshot metadata or something more sensitive like
metadata pointing to images.
…On Fri, Jan 22, 2021 at 5:54 PM Shiwei Zhang ***@***.***> wrote:
For TUF, combining the notary service with the registry service is
convenient but breaks the security model that the registry server is not
trusted.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#29 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD6R5FG5HCJPLVHESC3S3FDN3ANCNFSM4WGR5FEA>
.
|
Beta Was this translation helpful? Give feedback.
-
With the current registry API, I don't believe there's any precedent for running code on the registry server to generate blobs. And a basic registry deployed without any features has no TLS encryption and allows anyone to push/pull from that service (admittedly that's not a model we want to encourage). For these reasons, I'm leaning against asking OCI to support running a timestamping service within the registry, however the TUF team is assuming otherwise. Is there an option to have an external timestamping service, and would that be more desirable than proposing a change to the OCI spec to support running a timestamp service within the registry?
One advantage to a separate timestamping service is allowing disconnect environments to run their own timestamping service separate from the upstream mirror. This service may have it's own keys, and clients in the disconnected environment may need to be configured to trust that key.
Beta Was this translation helpful? Give feedback.
All reactions