diff --git a/securesystemslib/formats.py b/securesystemslib/formats.py
index 88cb7f78..60b5ebb6 100755
--- a/securesystemslib/formats.py
+++ b/securesystemslib/formats.py
@@ -217,6 +217,13 @@
   public = SCHEMA.AnyString(),
   private = SCHEMA.Optional(SCHEMA.AnyString()))
 
+# Public keys CAN have a private portion (for backwards compatibility) which
+# MUST be an empty string
+PUBLIC_KEYVAL_SCHEMA = SCHEMA.Object(
+  object_name = 'KEYVAL_SCHEMA',
+  public = SCHEMA.AnyString(),
+  private = SCHEMA.Optional(SCHEMA.String("")))
+
 # Supported TUF key types.
 KEYTYPE_SCHEMA = SCHEMA.OneOf(
   [SCHEMA.String('rsa'), SCHEMA.String('ed25519'),
@@ -230,6 +237,13 @@
   keyval = KEYVAL_SCHEMA,
   expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA))
 
+# Like KEY_SCHEMA, but requires keyval's private portion to be not set or empty
+PUBLIC_KEY_SCHEMA = SCHEMA.Object(
+  object_name = 'KEY_SCHEMA',
+  keytype = SCHEMA.AnyString(),
+  keyval = PUBLIC_KEYVAL_SCHEMA,
+  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA))
+
 # A TUF key object.  This schema simplifies validation of keys that may be
 # one of the supported key types.
 # Supported key types: 'rsa', 'ed25519'.
diff --git a/tests/test_formats.py b/tests/test_formats.py
index 3a838a41..ff974136 100755
--- a/tests/test_formats.py
+++ b/tests/test_formats.py
@@ -102,11 +102,26 @@ def test_schemas(self):
       'KEYVAL_SCHEMA': (securesystemslib.formats.KEYVAL_SCHEMA,
                         {'public': 'pubkey', 'private': 'privkey'}),
 
+      'PUBLIC_KEYVAL_SCHEMA': (securesystemslib.formats.PUBLIC_KEYVAL_SCHEMA,
+                        {'public': 'pubkey'}),
+
+      'PUBLIC_KEYVAL_SCHEMA2': (securesystemslib.formats.PUBLIC_KEYVAL_SCHEMA,
+                        {'public': 'pubkey', 'private': ''}),
+
       'KEY_SCHEMA': (securesystemslib.formats.KEY_SCHEMA,
                      {'keytype': 'rsa',
                       'keyval': {'public': 'pubkey',
                                  'private': 'privkey'}}),
 
+      'PUBLIC_KEY_SCHEMA': (securesystemslib.formats.KEY_SCHEMA,
+                     {'keytype': 'rsa',
+                      'keyval': {'public': 'pubkey'}}),
+
+      'PUBLIC_KEY_SCHEMA2': (securesystemslib.formats.KEY_SCHEMA,
+                     {'keytype': 'rsa',
+                      'keyval': {'public': 'pubkey',
+                                 'private': ''}}),
+
       'RSAKEY_SCHEMA': (securesystemslib.formats.RSAKEY_SCHEMA,
                         {'keytype': 'rsa',
                          'keyid': '123456789abcdef',