Comments (6)
One option we discussed is to write at the end of 1.3 something like "Version N+1 is now the trusted root metadata file." and then use "trusted root file" in all cases.
Alternatively, we could update them all to "current root metadata file". This is somewhat less clear on careful reading, but perhaps clearer to someone skimming.
(As for 0 and 0.1: 0.1 is unnecessary for TUF's security and possibly confusing. 1.3(2) performs the same check. See comments starting here.)
from taps.
I have moved this issue to the TUF repository. The TAPs repo isn't the place for this issue.
from taps.
If I can weigh in here, I think "trusted root metadata file," probably works better than "current" as a "standardized" term for the document as a whole.
from taps.
@awwad Feel free to repost your comment here:
theupdateframework/python-tuf#458
from taps.
Although I don't have a preference, I don't think "trusted root metadata file" always works better than "current root metadata file."
Consider the following context: "a threshold of keys specified in the current root metadata file (version N+1)."
It's a little strange to say "trusted" here instead of "current", because we haven't trusted it yet, we're still checking it.
I'll leave this up to you all.
from taps.
@trishankkarthik In 1.3 and 1.4, the root versions are numbered and the currently trusted file is actually N, so we can be even clearer. I'd probably put 1.3 and 1.4 this way: (Changes are bracketed [].)
1.3. **Check signatures.** Version N+1 of the root metadata file MUST have
been signed by: (1) a threshold of keys specified in the currently trusted root
metadata file (version N), and (2) a threshold of keys specified in the
[new] root metadata file [being validated] (version N+1).
1.4. **Check for a rollback attack.** The version number of the [currently
trusted] metadata file [(N)] must be less than or equal to the version number of [the
new] root metadata file [(N+1)]. Effectively, this means checking that the version
number signed in the [new] root metadata file is indeed N+1.
There's a bit of hand waving in 1.4 where we sort of imply that the new file doesn't have to have had version N+1 after all, even though we've been calling it N+1. If people think that's confusing, which I can imagine, it could be rewritten with versions identified as X and Y and given example values 6 and 7, say, in parentheticals. NBD, though.
from taps.
Related Issues (20)
- TAP process (TAP 1) HOT 7
- Allowing TAPs that are licensed with MIT or Apache 2.0? HOT 12
- TAP process: issue with pre-implementation phase visibility
- master branch protection HOT 6
- Discussion of TAP 15: Succinct hash bin delegations HOT 10
- Discussion of TAP 16: Snapshot Merkle trees HOT 3
- Discussion of TAP 12: Improving keyid flexibility HOT 4
- Discussion of TAP 14: Managing TUF Versions HOT 6
- Discussion of TAP 13: User Selection of the Top-Level Target Files Through Mapping Metadata HOT 1
- Discussion of TAP-17: Remove signature wrapper from TUF spec HOT 3
- POUF1 is out of date
- audit logs for root metadata changes
- Should POUF-1 allow whitespace for prettified output? HOT 2
- Define preferred style for wrapping and enforce with linter
- Discussion of Fulcio TAP (TAP 18) HOT 6
- [TAP 8] Should rotate files be listed in snapshot metadata? HOT 1
- Introduce a status for approved/accepted TAPs that are not intended to make it into the core specification
- TAP request: artifact discovery, index files and targets metadata HOT 1
- TAP 19: should discuss privacy HOT 1
- Support for downgrading/revoking a version? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from taps.