From 60e950f4d617eb74c92959b8b0beb744238c3d6f Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Tue, 9 Apr 2024 08:56:08 -0400 Subject: [PATCH] [TAP 8] Describe DoS attack and prevention (#183) * Describe DoS attack and prevention Signed-off-by: Marina Moore * Add rotate file limit Signed-off-by: Marina Moore * Address multiple-delegation Signed-off-by: Marina Moore --------- Signed-off-by: Marina Moore --- tap8.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tap8.md b/tap8.md index 8470b9e..b2ccc47 100644 --- a/tap8.md +++ b/tap8.md @@ -210,6 +210,8 @@ old rotate files for the old role should be deleted and removed from snapshot on the next snapshot key rotation. The client will determine the correct rotate file for the new role by starting from VERSION 1. +The repository SHOULD set a limit to the number of rotate files per role. This limit should be clear to all key holders (for example, it could be in repository documentation or added to root metadata). Once this number of rotate files is reached, the repository will reject rotations for this role and the delegator should create a new delegation to a new role. + ## Client workflow A client who wants to install foo now fetches Alice's targets file and will @@ -370,6 +372,14 @@ As a general note, this TAP only extends the possibilities of a target, but the delegation mechanism is still in place - i.e. a key higher up in the delegation can always revoke / modify the delegation itself. +A key holder or attacker could upload a large number of rotate files to DoS the +role or repository. This is similar to an existing attack where an attacker +with access to a private key can upload several different versions of the same +metadata file. To mitigate this attack on rotations, the repository should +set a limit on the number of rotate files per role. If a role needs to change +more than this limit, the delegator must re-delegate to a new role, re-setting +any rotations. + Baton - Baton: Certificate Agility for Android’s Decentralized Signing Infrastructure - http://people.scs.carleton.ca/~paulv/papers/wisec2014-baton.pdf - is a similar proposal to extend Android's signing infrastructure.