<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Warehouse is already a SPOF.<br></div><div>That's a hefty responsibility that contributions should support.</div></div></blockquote><div><br></div><div>Warehouse doesn't need to be a SPOF.  A compromise of the Warehouse server (and all keys on it) need not allow an attacker to compromise many users.  The details are in the<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span></span><a href="https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy" target="_blank" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">Diplomat</a><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>paper, but the gist is that you can have some rarely used, offline keys that are stored by folks like Donald, etc. and a quorum of those trusted users would need to be malicious to cause substantial harm to users</span>.</div><div><br></div><div>However, you can have whatever trust / key distribution / storage model makes sense.  TUF doesn't force you to use some pre-ordained model.  It has flexibility to support a variety of workflows, including many with good security properties.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Would [offline] package mirrors and the CDN still work for/with TUF keys?</div></div></blockquote><div> </div><div>Yes, this works just fine.  CDNs / mirrors do not change in any way.</div><div><br></div></div></div></div>