Consider reimplement securesystemslib/formats.py in Go

[Dentrax]

Hey! Just thinking about how we can use the Python implementation of securesystemslib/formats.py in Go. It has a really cool scheme and object validations, so I thought we can use similar functions in Go implementation as a library. I'm not sure whether worth to implement whole thing, so we dropped this issue to further discuss!

If it makes sense, we can give a hand with @developer-guy!

[shibumi]

Hi @Dentrax some of these models/formats are already implemented in the in-toto-golang codebase: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/verifylib.go

I don't know if it would make sense to move this library to the securesystemslib. Opinions @SantiagoTorres @adityasaky ?

EDIT: Okay, I just realized that it's not the verifylib.go.. it's distributed among all files of the in-toto-golang projects

[adityasaky]

IMO, it probably makes sense to analyze in-toto-golang and go-tuf to see what commonalities we can offload here rather than reimplementing everything in py-sslib. cc @mnm678 as well

[joshuagl]

Note we opted not to utilise securesystemlib's formats facility in new python-tuf code because it has several well documented (hat-tip @lukpueh) flaws secure-systems-lab/securesystemslib#183 including a fairly noticeable performance impact (>5% execution time spent in verifying formats).