[TAP 8] Should rotate files be listed in snapshot metadata?

[mnm678]

When working on the implementation of TAP 8, it became clear that there is an issue with TAP 8's requirement that the version number of the latest rotate file for each role is listed in snapshot metadata. Rotate files must be verified before the metadata for that role is used, but timestamp and snapshot roles must be verified before snapshot metadata is used. Thus the client cannot check snapshot metadata for version numbers of rotate files for timestamp and snapshot. I see two possible solutions.

Option 1: Disallow rotate files for the timestamp and snapshot role. Rotate files would only be used for targets roles, and could use the existing snapshot metadata checks.

pros:

• the snapshot metadata check ensures that clients have the most up-to-date set of keys
• use of snapshot metadata ensures only rotate files that exist are downloaded

cons:

• prevents rotating of the frequently-used timestamp and snapshot roles

Option 2: Skip the snapshot check for timestamp and snapshot rotate files (but leave it in place for targets). Rotate files would be downloaded similar to the root metadata today, with clients looking for version 1, then version 2, etc

pros:

• maintain the ability to rotate all roles

cons:

• additional network calls are required even when no rotate files are present
• potential denial of service (only if attacker controls the network)

I am leaning toward option 2, as I think the denial of service is already possible for an attacker that controls the network, and so the ability to rotate keys more frequently seems worth it, but I would appreciate feedback from others.

Thanks to @jku for helping me find this issue

[mnm678]

Based on discussion in the Feb 22 TUF community meeting, I will proceed with option 1 listed above. It was decided that this is the simplest solution, and a further enhancement could add key rotation for non-targets roles.