I understand what the timestamp key is used for, but not its relation to the other keys. Unlike root/snapshot/targets (which are generated out of band) it appears that the time-stamp key is generated by the notary-signer. And yet it is identified in the roots.json file. I am trying to understand how this happens. Does the notary-signer generate the key pair and then present it back to the host to sign? I don’t see any talk of how this works in the TUF spec or any of the Notary/Docker documentation. Any pointers to documentation (or explanation here) would be helpful.

tx!