Signing Keys

Repository Service for TUF (RSTUF) requires two sets of keys for Deployment and Service Setup: Root Key(s) (offline) and the Online Key.

Root Key(s) (offline)

The Root key(s) delegates trust to TUF. The number of keys is the number of identities/people who administer the top-level TUF Metadata.

RSTUF requires all Root key(s) only during the Service Setup specifically during the Ceremony process. This process also defines the Root key threshold, representing the number of Root key(s) for future offline operations.

Note

See the number of Root keys/threshold example

An organization declares that it will utilize 5 (five) Root keys in order to administer the RSTUF Service. All 5 (five) people will be required to utilize their keys individually during the Ceremony process.

During the Ceremony process, the same organization defines that the threshold for Root metadata is 2 (two).

Root keys: 5
Root keys threshold: 2

The organization to perform Metadata Update process requires at least 2 (two) people to use their keys.

Caution

The root key(s) should be stored secured offline.

The key must be compatible with Secure Systems Library.

Online Key

The online key signs TUF metadata for the roles that use the online key.

RSTUF requires the online key during the Service Setup, specifically during the Ceremony process.

During RSTUF Worker service deployment, configure the online key using a supported Key Vault Service

Caution

Do not expose the online private key.
The online key should be stored and secured with limited access by RSTUF Workers only.

Note

Targets, Snapshot, and Timestamp’s metadata use the online key for signing.