Closed jku closed 3 years ago
Nice! I have a use case for unknown key-values that @trishankatdatadog linked this issue to.
I completely agree that these key-value pairs must be preserved by an implementation so that hash/signature calculations can be consistent.
As far as where they can appear: my personal use case is key-values that may appear as auxiliary information in the KEYVAL dictionary (https://theupdateframework.github.io/specification/latest/#keyval). My linked PR adds a custom dictionary to this to append additional public key information (a certificate attesting to the public key).
Thanks, Asra! I think the next step is to add some text to the spec to clarify how to preserve and yet ignore these superset fields...
Would it suffice to have it be similar to CUSTOM in targets (opaque to implementation, as a json object) and submit a PR in this repo with the change?
I don't think we even need to mention any specific field 🙂 We can add CUSTOM and your field as examples, but the important thing is to advise implementations what to do when seeing these added/superset fields. Makes sense?
Spec says:
This does not make it very clear
My own understanding of the last point is that they can appear in every "object-like" dictionary at or below signed, meaning every dictionary in the format except ["hashes", "keys", "meta", "roles", "targets"].