|
| 1 | +* TAP: 17 |
| 2 | +* Title: Replace signature envelope with SSL signing-spec |
| 3 | +* Version: 0 |
| 4 | +* Last-Modified: 30/04/2021 |
| 5 | +* Author: Aditya Sirish A Yelgundhalli |
| 6 | +* Type: Standardization |
| 7 | +* Status: Draft |
| 8 | +* Content-Type: markdown |
| 9 | +* Created: 30/04/2021 |
| 10 | +* +TUF-Version: |
| 11 | +* +Post-History: |
| 12 | + |
| 13 | +# Abstract |
| 14 | + |
| 15 | +This TUF Augmentation Proposal (TAP) proposes switching to a new signature |
| 16 | +envelope, namely the new |
| 17 | +[SSL signature specification](http://github.com/secure-systems-lab/signing-spec). |
| 18 | +This has the following benefits over the current state: |
| 19 | + |
| 20 | +1. Avoids canonicalization for security reasons (i.e., to not parse untrusted |
| 21 | + input) |
| 22 | + |
| 23 | +2. Reduces the possibility of misinterpretation of the payload. The serialized |
| 24 | + payload is encoded as a string and verified by the recipient before |
| 25 | + de-serializing. |
| 26 | + |
| 27 | +The old signature envelope would still be supported but deprecated, possibly to |
| 28 | +be removed in a future release. This TAP follows a near identical proposal in |
| 29 | +TUF's sister project, in-toto. The proposal there is detailed in an in-toto |
| 30 | +Enhancement (ITE), |
| 31 | +[ITE-5](https://github.com/in-toto/ITE/blob/master/ITE/5/README.adoc). |
| 32 | + |
| 33 | +# Specification |
| 34 | + |
| 35 | +The specification adopted will be the SSL Signing Spec 0.1, as linked above. As |
| 36 | +such, we defer to that document to describe the specifics of signature |
| 37 | +generation and verification. |
| 38 | + |
| 39 | +The envelope's `payloadType` is `application/vnd.tuf+json` for all TUF roles. |
| 40 | +This means that the payload is expected to be a JSON file with a |
| 41 | +`_type` field identifying the specific role. |
| 42 | + |
| 43 | +The envelope's `payload` is the JSON serialization of the message, equivalent to |
| 44 | +the `signed` object in the current format. |
| 45 | + |
| 46 | +## Pseudocode |
| 47 | + |
| 48 | +Implementations should process the authentication layer as follows: |
| 49 | + |
| 50 | +Inputs: |
| 51 | + |
| 52 | +* `file`: JSON-encoded TUF document |
| 53 | +* `recognizedSigners`: collection of (`name`, `publicKey`) pairs |
| 54 | + |
| 55 | +Outputs: |
| 56 | + |
| 57 | +* `message`: the signed message as an implementation-language-specific object |
| 58 | +* `signers`: set of recognized names that have signed the message |
| 59 | + |
| 60 | +Steps: |
| 61 | + |
| 62 | +* `envelope` := JsonDecode(`file`); raise error if the decoding fails |
| 63 | +* If `envelope.payload` exists (new-style envelope): |
| 64 | + * If `payloadType` != `application/vnd.tuf+json`, raise error |
| 65 | + * `preauthEncoding` := PAE(UTF8(`envelope.payloadType`), |
| 66 | + `envelope.payload`) as per signing-spec |
| 67 | + * `signers` := set of `name` for which Verify(`preauthEncoding`, |
| 68 | + `signature.sig`, `publicKey`) succeeds, for all combinations of |
| 69 | + (`signature`) in `envelope.signatures` and (`name`, `publicKey`) in |
| 70 | + `recognizedSigners` |
| 71 | + * `message` := JsonDecode(`envelope.payload`) |
| 72 | +* Else if `envelope.signed` exists (old-style envelope): |
| 73 | + * `preauthEncoding` := CanonicalJsonEncode(`envelope.signed`) |
| 74 | + * `signers` := set of `name` for which Verify(`preauthEncoding`, |
| 75 | + `signature.sig`, `publicKey`) succeeds, for all combinations of |
| 76 | + (`signature`) in `envelope.signatures` and (`name`, `publicKey`) in |
| 77 | + `recognizedSigners` |
| 78 | + * `message` := `envelope.signed` |
| 79 | +* Else, raise error |
| 80 | +* Raise error if `signers` is empty |
| 81 | +* Return `message` and `signers` |
| 82 | + |
| 83 | +# Motivation |
| 84 | + |
| 85 | +TUF's sister project, in-toto, reused the current signature envelope to maximize |
| 86 | +code reuse. Both projects currently use the same crypto provider. However, the |
| 87 | +current envelope is detailed in both projects, and as time has shown, keeping |
| 88 | +them synchronized has been difficult. |
| 89 | + |
| 90 | +Further, due to interactions in both communities, the signature envelopes have |
| 91 | +evolved to better fit their use cases. Adopting a common source of truth, i.e., |
| 92 | +a separate signature specification, should help increase cohesion between |
| 93 | +these projects while maintaining the original goal of code reuse and transparent |
| 94 | +integration. |
| 95 | + |
| 96 | +In addition, keeping the signature envelope specification *outside* of the |
| 97 | +current TUF specification will also simplify the specification, which can now |
| 98 | +focus on describing TUF specifics, rather than cryptographic building blocks. |
| 99 | + |
| 100 | +# Rationale |
| 101 | + |
| 102 | +Our goal was to adopt a signature envelope that is as simple and foolproof as |
| 103 | +possible. Alternatives such as [JWS](https://tools.ietf.org/html/rfc7515) are |
| 104 | +extremely complex and error-prone, while others such as |
| 105 | +[PASETO](https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version2.md#sig) |
| 106 | +are overly specific. (Both are also JSON-specific.) We believe the SSL signing |
| 107 | +spec strikes the right balance of simplicity, usefulness, and security. |
| 108 | + |
| 109 | +Further, the SSL signing spec is a "natural evolution" of the current signature |
| 110 | +envelope, which was defined in both the TUF and in-toto specifications. As such, |
| 111 | +it allows for a transparent upgrade via their cryptographic provider, |
| 112 | +[securesystemslib](https://github.com/secure-systems-lab/securesystemslib). |
| 113 | + |
| 114 | +Further information on the reasoning behind the envelope's specifics is provided |
| 115 | +in the [signing specification](https://github.com/secure-systems-lab/signing-spec) |
| 116 | +repository. |
| 117 | + |
| 118 | +# Security Analysis |
| 119 | + |
| 120 | +At first sight this proposal is central to security, yet the actual |
| 121 | +contribution is to allow for a signature provider to be disaggregated from the |
| 122 | +specification. As such, no software update-specific security properties are |
| 123 | +removed from the system through this TAP. |
| 124 | + |
| 125 | +The adoption of SSL signing spec slightly improves the security stance of |
| 126 | +implementations because they are no longer parsing untrusted input. |
| 127 | + |
| 128 | +# Backwards Compatibility |
| 129 | + |
| 130 | +Implementations should continue to support old-style envelope as well as |
| 131 | +new-style SSL Signing Spec envelopes, as defined in the |
| 132 | +[pseudocode](#pseudocode) above. |
| 133 | + |
| 134 | +# Augmented Reference Implementation |
| 135 | + |
| 136 | +None yet. |
| 137 | + |
| 138 | +# Copyright |
| 139 | + |
| 140 | +This document has been placed in the public domain. |
| 141 | + |
| 142 | +# References |
| 143 | + |
| 144 | +* [Canonical JSON](http://gibson042.github.io/canonicaljson-spec/) |
| 145 | +* [JWS](https://tools.ietf.org/html/rfc7515) |
| 146 | +* [PASETO](https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version2.md#sig) |
| 147 | +* [ITE-5](https://github.com/in-toto/ITE/blob/master/ITE/5/README.adoc) |
| 148 | + |
| 149 | +# Acknowledgements |
| 150 | + |
| 151 | +This document was significantly inspired by the authors of ITE-5, Santiago |
| 152 | +Torres-Arias (@SantiagoTorres) and Mark Lodato (@MarkLodato). |
0 commit comments