Access control for TUF repositories

[mnm678]

The specification should provide recommendations about upload access to TUF repositories. An uploader should only be trusted to upload images that have been delegated to them, and in most cases they should not be allowed to replace images from other uploaders.

If developers are given unlimited upload access, they could create a denial of service by replacing valid images or metadata files.

[lukpueh]

This is a good point and very important for PEP 480-like setups, and probably also for PEP 458 as far as uploading images (target files?) goes.

However, to me it seems out of scope for the TUF spec. As far as I understand, DoS-attack prevention is not in the threat model of TUF, only its detection. Also, the spec does not have a notion of developer uploads. As a matter of fact, and I think this should be changed, right now it does not even describe how updates occur on the repository-side (as we do in PEP-458.

[trishankatdatadog]

While I do agree with Lukas that this is probably out of scope for the spec, we should have something like guidelines or recommendations somewhere prominent where people like the OCI folks could look up.

[joshuagl]

Perhaps this would be another item to capture in the secondary literature #91 ?