[Catalog-sig] RubyGems Threat Model and Requirements
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Fri Feb 15 09:23:47 CET 2013
Absolutely. Nick, thanks for helping to clarify that tasks #6-7 are,
indeed, handled by TUF.
Giovanni, we would certainly like to comment on your design document as
soon as we find the time. In fact, we are going to have a TUF hackathon
here in a few hours, and we hope to make more progress on these matters
soon enough.
On 2/12/13 10:31 PM, Nick Coghlan wrote:
> On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo <rasky at develer.com> wrote:
>> Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan <ncoghlan at gmail.com> ha scritto:
>>
>>> On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>>> Hello Nick,
>>>>
>>>> I've added the initial Requirements and Thread Model section to my document. I've also added a section "Future scenarios" at the end of the document.
>>>>
>>>> I hope they complete what you were feeling was missing from the proposal.
>>>
>>> Thanks, that helps me a lot in understanding the overall goals of your
>>> approach - in particular, it more clearly puts several things out of
>>> scope :)
>>>
>>> Your Task #6/#7 (related to PyPI generating the trust file, and pip
>>> verifying it) are the ones where I think the input of the TUF team
>>> will be most valuable, as well as potentially the folks responding to
>>> the rubygems.org attack.
>>
>> My undestanding is that #6/#7 are not currently covered by TUF.
>
> It's not explained very clearly in the spec, but #6/#7 are covered by
> TUF's "target delegation" concept (see
> https://www.updateframework.com/browser/specs/tuf-spec.txt#L241 and
> https://www.updateframework.com/browser/specs/tuf-spec.txt#L382)
>
> The PyPI target role key can delegate authority to individual package
> developer keys by delegating authority for the relevant paths within
> PyPI (i.e. the locations of the sdists and other files).
>
> This is discussed briefly at
> https://www.updateframework.com/wiki/SecuringPythonPackageManagement#Notes
> (where they note they have added an extra level of delegation to
> separate out the package specific delegations by first letter rather
> than dumping them all in one directory).
>
> TUF's target delegation is thus in direct competition to the "trusted
> keys" file in your design. TUF specifically aims to take care of the
> "online key needed" problem, by confining the online key role to the
> generation of the timestamp file, with offline keys used to sign the
> regenerated metadata when a target delegation changes.
>
> Cheers,
> Nick.
>
More information about the Catalog-SIG
mailing list