You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When working on the implementation of TAP 8, it became clear that there is an issue with TAP 8's requirement that the version number of the latest rotate file for each role is listed in snapshot metadata. Rotate files must be verified before the metadata for that role is used, but timestamp and snapshot roles must be verified before snapshot metadata is used. Thus the client cannot check snapshot metadata for version numbers of rotate files for timestamp and snapshot. I see two possible solutions.
Option 1: Disallow rotate files for the timestamp and snapshot role. Rotate files would only be used for targets roles, and could use the existing snapshot metadata checks.
pros:
the snapshot metadata check ensures that clients have the most up-to-date set of keys
use of snapshot metadata ensures only rotate files that exist are downloaded
cons:
prevents rotating of the frequently-used timestamp and snapshot roles
Option 2: Skip the snapshot check for timestamp and snapshot rotate files (but leave it in place for targets). Rotate files would be downloaded similar to the root metadata today, with clients looking for version 1, then version 2, etc
pros:
maintain the ability to rotate all roles
cons:
additional network calls are required even when no rotate files are present
potential denial of service (only if attacker controls the network)
I am leaning toward option 2, as I think the denial of service is already possible for an attacker that controls the network, and so the ability to rotate keys more frequently seems worth it, but I would appreciate feedback from others.
Based on discussion in the Feb 22 TUF community meeting, I will proceed with option 1 listed above. It was decided that this is the simplest solution, and a further enhancement could add key rotation for non-targets roles.
When working on the implementation of TAP 8, it became clear that there is an issue with TAP 8's requirement that the version number of the latest rotate file for each role is listed in snapshot metadata. Rotate files must be verified before the metadata for that role is used, but timestamp and snapshot roles must be verified before snapshot metadata is used. Thus the client cannot check snapshot metadata for version numbers of rotate files for timestamp and snapshot. I see two possible solutions.
Option 1: Disallow rotate files for the timestamp and snapshot role. Rotate files would only be used for targets roles, and could use the existing snapshot metadata checks.
pros:
cons:
Option 2: Skip the snapshot check for timestamp and snapshot rotate files (but leave it in place for targets). Rotate files would be downloaded similar to the root metadata today, with clients looking for version 1, then version 2, etc
pros:
cons:
I am leaning toward option 2, as I think the denial of service is already possible for an attacker that controls the network, and so the ability to rotate keys more frequently seems worth it, but I would appreciate feedback from others.
Thanks to @jku for helping me find this issue
The text was updated successfully, but these errors were encountered: