Recommend signatures only contain one sig per keyid

In an attempt to help implementers protect against incorrect threshold computation, update "File formats" to suggest that the signatures list contain only a single signature per keyid at metadata creation time. Suggested-by: Jussi Kukkonen <[email protected]> Signed-off-by: Joshua Lock <[email protected]>
theupdateframework · May 28, 2021 · a98c6a5 · a98c6a5
1 parent 24ca081
commit a98c6a5
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/tuf-spec.md b/tuf-spec.md
@@ -3,7 +3,7 @@ Title: The Update Framework Specification
 Shortname: TUF
 Status: LS
 Abstract: A framework for securing software update systems.
-Date: 2021-05-27
+Date: 2021-05-28
 Editor: Justin Cappos, NYU
 Editor: Trishank Karthik Kuppusamy, Datadog
 Editor: Joshua Lock, VMware
@@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no
 Local Boilerplate: header yes
 Markup Shorthands: css no, markdown yes
 Metadata Include: This version off, Abstract off
-Text Macro: VERSION 1.0.19
+Text Macro: VERSION 1.0.20
 </pre>
 
 Note: We strive to make the specification easy to implement, so if you come
@@ -534,6 +534,10 @@ All signed metadata objects have the format:
       ::
         A hex-encoded signature of the canonical form of the metadata for <a for="role">ROLE</a>.
 
+Note: The "signatures" list SHOULD only contain one <a>SIGNATURE</a> per
+<a for="role">KEYID</a>. This helps prevent multiple signatures by the same key
+being counted erroneously towards the minimum <a>THRESHOLD</a> indicating valid
+metadata.
 
 All <dfn>KEY</dfn>s have the format: