[TUF] What should the root key cover

[sudo-bmitch]

In Notary v1, the root key was frequently a repository level construct. In the v2 TUF proposal, the root key is a registry level concept:

The root role is the root of trust for the registry. It delegates to the other registry and repository controlled roles. Clients should be given the root public key at set up.

I feel like we shouldn't bind this key to either and that it likely belongs to a organization rather than at any technical boundary. There may be multiple root keys in a larger public registry (like Docker Hub), each for a separate organization that could have one or more accounts (namespaces) on the registry, each with multiple repositories. Conversely, there may be a single organization with multiple self hosted registry servers (for development, production, and DR) and they may want a single root key for all of these registries.

It would also be useful to understand how to manage this key with organizations shift responsibility of the root key management. E.g. notary is often brought in as a pilot project by one or more teams, each with their own root key, and later the company security department takes over management and doesn't want to trust either of the individual team root keys for the entire company. Other times may see companies split into multiple divisions each with separate security teams.

[mnm678]

There's a tradeoff here where having a root for a smaller set of repositories (ie an organization) means that the key has a clearer meaning (and smaller snapshot), but it also means that more root keys need to be distributed to users. For a large registry, this might be worth the tradeoff, but we'll want to have a clear plan for key distribution to ensure this is easy to use.