Remove POUF-2; Update POUF-1 with DSSE changes

Signed-off-by: Aditya Sirish <[email protected]>

Author: adityasaky

POUFs/pouf2.md

@@ -1,11 +1,11 @@
-* POUF: 1
-* Title: Reference Implementation Using Canonical JSON
-* Version: 2
-* Last-Modified: 06-May-2020
+*" POUF: 1
+* Title: Reference Implementation Using Canonical JSON and DSSE
+* Version: 3
+* Last-Modified: 21-Jun-2021
 * Author: Marina Moore, Joshua Lock
 * Status: Draft
 * TUF Version Implemented: 1.0
-* Implementation Version(s) Covered: v0.12.*
+* Implementation Version(s) Covered: TODO
 * Content-Type: text/markdown
 * Created: 25-November-2018
 
@@ -14,7 +14,7 @@ This POUF describes the protocol, operations, usage, and formats for the TUF ref
 
 The reference implementation includes all required features of the TUF standard, as well as many of the optional features as a reference for anyone wishing to implement TUF. The implementation uses Canonical JSON encoding.
 
-This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES.
+This version of the POUF covers v0.12.* of the reference implementation and has been updated to reflect that: snapshot.json only lists targets metadata (top-level and delegated), and timestamp.json includes hashes and length in METAFILES. TODO: update this bit
 
 # Protocol
 
@@ -67,19 +67,22 @@ The following steps must be completed before any updates can be installed:
 # Formats
 
 ## General Principals
-All signed metadata objects have the format:
-
-       { "signed" : ROLE,
-         "signatures" : [
-            { "keyid" : KEYID,
-              "sig" : SIGNATURE }
-            , ... ]
+All signed metadata use v1 of [Dead Simple Signing Envelope (DSSE)](https://github.com/secure-systems-lab/signing-spec):
+
+       {
+         "payload": "<Base64(SERIALIZED_BODY)>",
+         "payloadType": "<PAYLOAD_TYPE>",
+         "signatures": [{
+           "keyid": "<KEYID>",
+           "sig": "<Base64(SIGNATURE)>"
+         }]
        }
 
-
    where:
 
-          * ROLE is a dictionary whose "_type" field describes the role type.
+          * SERIALIZED_BODY is a dictionary whose "_type" field describes the role type.
+
+          * PAYLOAD_TYPE is a fixed as "application/vnd.tuf+json" identifying it as TUF metadata.
 
           * KEYID is the identifier of the key signing the ROLE dictionary.
 
@@ -347,7 +350,7 @@ The timestamp file is signed by a timestamp key.  It indicates the
                "hashes" : HASHES }
            , ...
          }
-
+t
      METAPATH is the the snapshot metadata file's path on the repository
      relative to the metadata base URL.
 
@@ -406,7 +409,25 @@ This profile was included in TUF security audits available at https://theupdatef
 
 # Version History
 
+## 3
+Update to propose a transition to using DSSE as the underlying signature wrapper for TUF metadata.
+
 ## 2
 Updated to reflect the latest (v0.12.2) reference implementation.
 * snapshot.json lists only the top-level and delegated targets metadata
 * timestamp.json includes hashes and length of snapshot.json
+       { "signed" : ROLE,
+         "signatures" : [
+            { "keyid" : KEYID,
+              "sig" : SIGNATURE }
+            , ... ]
+       }
+
+
+   where:
+
+          * ROLE is a dictionary whose "_type" field describes the role type.
+
+          * KEYID is the identifier of the key signing the ROLE dictionary.
+
+          * SIGNATURE is a hex-encoded signature of the canonical JSON form of ROLE.