diff --git a/tuf/signed/ed25519.go b/tuf/signed/ed25519.go
index 6ee5a3c4fb..3f7ad1ed28 100644
--- a/tuf/signed/ed25519.go
+++ b/tuf/signed/ed25519.go
@@ -46,8 +46,10 @@ func (e *Ed25519) RemoveKey(keyID string) error {
 // ListKeys returns the list of keys IDs for the role
 func (e *Ed25519) ListKeys(role string) []string {
 	keyIDs := make([]string, 0, len(e.keys))
-	for id := range e.keys {
-		keyIDs = append(keyIDs, id)
+	for id, edCryptoKey := range e.keys {
+		if edCryptoKey.role == role {
+			keyIDs = append(keyIDs, id)
+		}
 	}
 	return keyIDs
 }
diff --git a/tuf/signed/ed25519_test.go b/tuf/signed/ed25519_test.go
new file mode 100644
index 0000000000..18e0ccff2b
--- /dev/null
+++ b/tuf/signed/ed25519_test.go
@@ -0,0 +1,24 @@
+package signed
+
+import (
+	"testing"
+
+	"github.com/docker/notary/tuf/data"
+	"github.com/stretchr/testify/assert"
+)
+
+// ListKeys only returns the keys for that role
+func TestListKeys(t *testing.T) {
+	c := NewEd25519()
+	tskey, err := c.Create(data.CanonicalTimestampRole, data.ED25519Key)
+	assert.NoError(t, err)
+
+	_, err = c.Create(data.CanonicalRootRole, data.ED25519Key)
+	assert.NoError(t, err)
+
+	tsKeys := c.ListKeys(data.CanonicalTimestampRole)
+	assert.Len(t, tsKeys, 1)
+	assert.Equal(t, tskey.ID(), tsKeys[0])
+
+	assert.Len(t, c.ListKeys(data.CanonicalTargetsRole), 0)
+}