audit logs for root metadata changes #153
Description
Given the importance of the root metadata, changes made to it are quite important. I was recently tasked with keeping an audit log of such changes. The naive approach is to more or less add a new DB column and move on. However, when I start to think of the qualities such a solution needs such as being tamper resistant, I start wonder if this shouldn't be optionally supported (or even recommended) in the TUF spec? For example, maybe we could add a new optional attribute to the signed root metadata reason. Maybe a free form string or some free form object. e.g:
signed:
_Type: Root
expires: 2022-08-19T16:23:01Z
version: 2
reason: User(1234) rotated root key that were due to expire
then we add a new targets signing key and get
signed:
_Type: Root
expires: 2022-09-19T16:23:01Z
version: 3
reason: User(456) added targets keyid 1234
I'm not totally sure this belongs in the root metadata and might need to be its own new artifact. Just curious if people had thought about this and if there was interest in something along these lines?