|
564 | 564 | "name": ROLE, |
565 | 565 | "keyids" : [ KEYID, ... ] , |
566 | 566 | "threshold" : THRESHOLD, |
567 | | - "paths" : [ PATHPATTERN, ... ] |
| 567 | + ("path_hash_prefixes" : [ HEX_DIGEST, ... ] | |
| 568 | + "paths" : [ PATHPATTERN, ... ]) |
568 | 569 | }, ... ] |
569 | 570 | } |
570 | 571 |
|
| 572 | + In order to discuss target paths, a role MUST specify only one of the |
| 573 | + "path_hash_prefixes" or "paths" attributes, each of which we discuss next. |
| 574 | + |
| 575 | + The "path_hash_prefixes" list is used to succinctly describe a set of target |
| 576 | + paths. Specifically, each HEX_DIGEST in "path_hash_prefixes" describes a set |
| 577 | + of target paths; therefore, "path_hash_prefixes" is the union over each |
| 578 | + prefix of its set of target paths. The target paths must meet this |
| 579 | + condition: each target path, when hashed with the SHA-256 hash function to |
| 580 | + produce a 64-byte hexadecimal digest (HEX_DIGEST), must share the same |
| 581 | + prefix as one of the prefixes in "path_hash_prefixes". This is useful to |
| 582 | + split a large number of targets into separate bins identified by consistent |
| 583 | + hashing. |
| 584 | + |
| 585 | + TODO: Should the TUF spec restrict the repository to one particular |
| 586 | + algorithm? Should we allow the repository to specify in the role dictionary |
| 587 | + the algorithm used for these generated hashed paths? |
| 588 | + |
571 | 589 | The "paths" list describes paths that the role is trusted to provide. |
572 | 590 | Clients MUST check that a target is in one of the trusted paths of all roles |
573 | 591 | in a delegation chain, not just in a trusted path of the role that describes |
574 | | - the target file. The format of a PATHPATTERN may be either a path to a single |
575 | | - file, or a path to a directory to indicate all files and/or subdirectories |
576 | | - under that directory. |
| 592 | + the target file. The format of a PATHPATTERN may be either a path to a |
| 593 | + single file, or a path to a directory to indicate all files and/or |
| 594 | + subdirectories under that directory. |
| 595 | + |
| 596 | + A path to a directory is used to indicate all possible targets sharing that |
| 597 | + directory as a prefix; e.g. if the directory is "targets/A", then targets |
| 598 | + which match that directory include "targets/A/B.txt" and |
| 599 | + "targets/A/B/C.txt". |
577 | 600 |
|
578 | 601 | We are currently investigating a few "priority tag" schemes to resolve |
579 | 602 | conflicts between delegated roles that share responsibility for overlapping |
580 | 603 | target paths. One of the simplest of such schemes is for the client to |
581 | 604 | consider metadata in order of appearance of delegations; we treat the order |
582 | 605 | of delegations such that the first delegation is trusted more than the |
583 | 606 | second one, the second delegation is trusted more than the third one, and so |
584 | | - on. The metadata of the first delegation will override that of the second delegation, |
585 | | - the metadata of the second delegation will override that of the third |
586 | | - delegation, and so on. In order to accommodate this scheme, the "roles" key |
587 | | - in the DELEGATIONS object above points to an array, instead of a hash |
588 | | - table, of delegated roles. |
| 607 | + on. The metadata of the first delegation will override that of the second |
| 608 | + delegation, the metadata of the second delegation will override that of the |
| 609 | + third delegation, and so on. In order to accommodate this scheme, the |
| 610 | + "roles" key in the DELEGATIONS object above points to an array, instead of a |
| 611 | + hash table, of delegated roles. |
589 | 612 |
|
590 | 613 | Another priority tag scheme would have the clients prefer the delegated role |
591 | 614 | with the latest metadata for a conflicting target path. Similar ideas were |
|
0 commit comments