Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Lukas Pühringer, Jussi Kukkonen

2022-05-20

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks, and, in contrast to many other systems, provides resilience to compromise. In this talk Jussi and Lukas, both maintainers of the TUF reference implementation and core contributors to the TUF specification, will show why content delivery is such a crucial part of the supply chain, how TUF can be used to protect it, and where TUF is already used in practice. They will talk about how the TUF ecosystem is evolving: what is happening within the various sub projects and how some well-known adoptions and integration projects are proceeding. Finally, some interesting future developments are discussed.Click here to view captioning/translation in the MeetingPlay platform!

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Marina Moore, Joshua Lock

2021-10-14

The Update Framework (TUF) is a framework for secure software updates that protects the integrity, consistency, and freshness of packages while reducing the impact of a compromise and allowing for recovery. It uses cryptographic signatures to protect content and separates responsibilities to reduce the impact of key loss. TUF also allows users to recover when a compromise happens through hierarchical trust delegations.

• TUF protects content using cryptographic signatures over the content, repository, and metadata to ensure integrity, consistency, and freshness.
• TUF reduces the impact of key loss by separating responsibilities and requiring a threshold of keys to sign content.
• TUF allows users to recover from a compromise through hierarchical trust delegations.
• TUF uses a root role that delegates to other roles in the system, including a timestamp role, snapshot role, and targets roles.
• TUF balances trust and responsibility by ensuring that more vulnerable roles have less of an impact when compromised.