Justin Cappos

> Should [in-toto/docs#85](https://github.com/in-toto/docs/issues/85) be the upstream issue here? Thanks, added it!

The CNCF's documentation team has a process which they went through for in-toto resulting in [this assessment](https://github.com/in-toto/docs/issues/85). Once this happens, we also want to fix up the problems raised through...

There are already some materials for this, mostly tilted toward security aspects. This is more lecture slides, assignments, etc. than a textbook. However, the new [security assessment guide](https://github.com/cncf/tag-security/issues/999) for the...

I'd also love to hear from people interested in using this to understand more. I have educational materials that have been used at a lot of schools (everything from 2...

I support this move.

For what it is worth with respect to freeze attacks / metadata validity, the TUF spec was written with the expectation that clients would update and replace metadata within the...

@mnm678, Can you describe in a bit more detail here? Perhaps an example would help... On Wed, Sep 12, 2018 at 12:10 PM mnm678 wrote: > After talking with @JustinCappos...

I see a lot of potential complications with having the root role use the same mechanism. When you sign metadata is absolutely key in this case and the consistency and...

I think there is another option for spec file changes --- require a version of the file with the old spec number (and of course in the old format) that...

Why wouldn't the project name be part of the signed rotate file? If so, then this avoids the specific case you mention. It should only be a problem then if...