|
1 | 1 | # <p align="center">The Update Framework Specification |
2 | 2 |
|
3 | | -Last modified: **1 December 2020** |
| 3 | +Last modified: **2 December 2020** |
4 | 4 |
|
5 | | -Version: **1.0.14** |
| 5 | +Version: **1.0.15** |
6 | 6 |
|
7 | 7 | We strive to make the specification easy to implement, so if you come across |
8 | 8 | any inconsistencies or experience any difficulty, do let us know by sending an |
@@ -217,6 +217,8 @@ repo](https://github.com/theupdateframework/specification/issues). |
217 | 217 | Mandatory Metadata signing schemes |
218 | 218 | - [Tap 10](https://github.com/theupdateframework/taps/blob/master/tap10.md): |
219 | 219 | Remove native support for compressed metadata |
| 220 | + - [TAP 11](https://github.com/theupdateframework/taps/blob/master/tap11.md): |
| 221 | + Using POUFs for Interoperability |
220 | 222 |
|
221 | 223 | Implementations compliant with this version (1.0.0) of the specification |
222 | 224 | must also comply with the TAPs mentioned above. |
@@ -370,6 +372,20 @@ repo](https://github.com/theupdateframework/specification/issues). |
370 | 372 | partly because the specific threat posted to clients in many situations is |
371 | 373 | largely determined by how the framework is being used. |
372 | 374 |
|
| 375 | +* **2.3. Protocol, Operations, Usage, and Format (POUF) Documents** |
| 376 | + |
| 377 | + This specification purposefully leaves many implementation details, |
| 378 | + including the metadata file formats, to the discretion of individual |
| 379 | + implementations. These details do not affect the security of an |
| 380 | + implementation, and so leaving them out of the specification allows this |
| 381 | + document to support a greater variety of users. TUF implementers are |
| 382 | + encouraged to document the wireline format and design decisions used in |
| 383 | + their implementation as a POUF document. POUFs, as described in |
| 384 | + [TAP 11](https://github.com/theupdateframework/taps/blob/master/tap11.md), |
| 385 | + allow different adopters to create interoperable implementations of TUF. |
| 386 | + POUFs should follow the layout described in TAP 11 and may be made |
| 387 | + publicly available in the [TAP directory](https://github.com/theupdateframework/taps/tree/master/POUFs). |
| 388 | + |
373 | 389 | ## **3. The repository** |
374 | 390 |
|
375 | 391 | An application uses the framework to interact with one or more repositories. |
@@ -476,6 +492,7 @@ repo](https://github.com/theupdateframework/specification/issues). |
476 | 492 | interpret them without ambiguity. Implementers should choose a data format |
477 | 493 | that allows for canonicalization, or one that will decode data |
478 | 494 | deterministically by default so that signatures can be accurately verified. |
| 495 | + The chosen data format should be documented in the POUF of the implementation. |
479 | 496 | The examples in this document use a subset of the JSON object format, with |
480 | 497 | floating-point numbers omitted. When calculating the digest of an |
481 | 498 | object, we use the "canonical JSON" subdialect as described at |
|
0 commit comments