[Catalog-sig] RubyGems Threat Model and Requirements
Nick Coghlan
ncoghlan at gmail.com
Wed Feb 13 04:31:35 CET 2013
On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo <rasky at develer.com> wrote:
> Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan <ncoghlan at gmail.com> ha scritto:
>
>> On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>> Hello Nick,
>>>
>>> I've added the initial Requirements and Thread Model section to my document. I've also added a section "Future scenarios" at the end of the document.
>>>
>>> I hope they complete what you were feeling was missing from the proposal.
>>
>> Thanks, that helps me a lot in understanding the overall goals of your
>> approach - in particular, it more clearly puts several things out of
>> scope :)
>>
>> Your Task #6/#7 (related to PyPI generating the trust file, and pip
>> verifying it) are the ones where I think the input of the TUF team
>> will be most valuable, as well as potentially the folks responding to
>> the rubygems.org attack.
>
> My undestanding is that #6/#7 are not currently covered by TUF.
It's not explained very clearly in the spec, but #6/#7 are covered by
TUF's "target delegation" concept (see
https://www.updateframework.com/browser/specs/tuf-spec.txt#L241 and
https://www.updateframework.com/browser/specs/tuf-spec.txt#L382)
The PyPI target role key can delegate authority to individual package
developer keys by delegating authority for the relevant paths within
PyPI (i.e. the locations of the sdists and other files).
This is discussed briefly at
https://www.updateframework.com/wiki/SecuringPythonPackageManagement#Notes
(where they note they have added an extra level of delegation to
separate out the package specific delegations by first letter rather
than dumping them all in one directory).
TUF's target delegation is thus in direct competition to the "trusted
keys" file in your design. TUF specifically aims to take care of the
"online key needed" problem, by confining the online key role to the
generation of the timestamp file, with offline keys used to sign the
regenerated metadata when a target delegation changes.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Catalog-SIG
mailing list