The basic technology behind TUF was developed at the University of Washington
in 2009 by Justin Samuel and Justin Cappos, and presented
in a paper
Samuel and Cappos coauthored with Nick Mathewson and Roger
Dingledine, researchers from The Tor Project,
Inc. Since 2011, TUF has been based at New York
University Tandon School of Engineering, where
Cappos is a tenured associate professor of computer science and engineering.
There he works with a team of Ph.D. students, including Trishank Karthik Kuppusamy,
who graduated in 2017, and developers,
including Vladimir Diaz and Sebastien Awwad, to supervise the development of
TUF and its adoption and integration by open source non-profits and tech companies.
Though TUF technologies have been customized to meet end-user specifications,
four core principles continue to be central to its design.
The first is separation of responsibilities for signing metadata, which means
one compromised key does not automatically compromise all repository users.
The second specifies a fixed number of signatures agreeing to the authenticity
of what is presented in the metadata that accompanies an update before the
server will download it.
A third principle works to help a repository to recover quickly from a
compromise by providing an automatic way to revoke signing keys. By doing so,
hackers can not sign metadata to authenticate malware.
Lastly, TUF keeps the most vulnerable signing keys offline, which greatly
reduces the risk that they can be stolen or compromised.
In 2016, the TUF research group set up a process whereby the community could
have input on technical issues. Named the TUF Augmentation Proposal, or TAP,
this series of documents also provide information to the TUF community, or
describe new feature for TUF or its processes or environment. Through the use
of TAPs, as well as input from those who adopted the technology, the evolution
of TUF technology can continue as security needs change.