On Thu, Mar 22, 2018 at 6:15 PM, Justin Cappos
Warehouse is already a SPOF. That's a hefty responsibility that contributions should support.
Warehouse doesn't need to be a SPOF. A compromise of the Warehouse server (and all keys on it) need not allow an attacker to compromise many users. The details are in the Diplomat https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kup... paper, but the gist is that you can have some rarely used, offline keys that are stored by folks like Donald, etc. and a quorum of those trusted users would need to be malicious to cause substantial harm to users.
However, you can have whatever trust / key distribution / storage model makes sense. TUF doesn't force you to use some pre-ordained model. It has flexibility to support a variety of workflows, including many with good security properties.
Would [offline] package mirrors and the CDN still work for/with TUF keys?
Yes, this works just fine. CDNs / mirrors do not change in any way.
+1 (I'm logging off work for today, but happy to discuss more tomorrow)