Implement a TUF based specification

[raggi]

General overview

TUF is a successor to Thandy, the update system designed for the Tor suite. TUF is backed by research, and the core paper cites many real world failures of existing related systems. TUF has had a test implementation against PyPI that provides some insight into practical implications that will need to be considered. TUF once implemented and documented, appears to address all of the critical and high importance and important goals in http://goo.gl/ybFIO, except for policy definition items, where it provides some suggestions. It also provides good coverage in the suggested goals and additional requirements. The design also appears to addresses the concerns of all customer groups.

Required reading:

• http://www.updateframework.com/
• http://freehaven.net/~arma/tuf-ccs2010.pdf

  Implementation details TBC

• Address metadata scalability
• Decide on targets namespace mapping
• Decide on common revocation policy wrt valid historic signatures (rewrite targets or not)
• Design role separation topology wrt servers
• Decide on key rotation schedules
• Decide on depth of authorization integration and targets modification from rg.org
• Decide on user cert replacement policy (airgap? time delay?)
• Decide on user cert authorization policy (airgap? time delay?)

  Open questions

See ML.

[tarcieri]

We did some work on this at Square, FWIW:

http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-2.html http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-3.html

Code here:

https://github.com/square/rubygems/tree/tuf https://github.com/square/rubygems/tree/tuf-xavier https://github.com/square/rubygems.org/tree/tuf