Expand on the TUF client update workflow, per popular demand. #440
Conversation
docs/tuf-spec.txt
Outdated
| @@ -928,24 +928,113 @@ Version 1.0 (Draft) | |||
|
|
|||
| 5.1. The client application | |||
|
|
|||
| 1. The client application first instructs TUF to check for updates. | |||
| 1. **Download the root metadata file**, up to some predetermined number of | |||
There was a problem hiding this comment.
Please clarify what "predetermined" means here.
docs/tuf-spec.txt
Outdated
| arbitrarily increase the version numbers of: (1) the timestamp metadata, | ||
| (2) the snapshot metadata, and / or (3) the targets, or a delegated | ||
| targets, metadata file in the snapshot metadata. Please see the Mercury | ||
| paper for more details (to be published soon). |
There was a problem hiding this comment.
You can probably point to where this will be:
https://ssl.engineering.nyu.edu/papers/kuppusamy_usenix_17.pdf
For the time being, feel free to put the SUBMITTED there, but please label it DRAFT
docs/tuf-spec.txt
Outdated
|
|
||
| 7. TUF downloads and verifies the file and then makes the file available to the | ||
| software update system. | ||
| 2.1. **Check signatures.** It must have been signed by a threshold of keys |
There was a problem hiding this comment.
Please avoid 'It', especially when it crosses points, etc.
| 5.1. If there is no targets metadata about this target, then report that | ||
| there is no such target. | ||
|
|
||
| 5.2. Otherwise, download the target (up to the number of bytes specified in |
There was a problem hiding this comment.
It's worth explaining why this is 'up to' instead of 'exactly'
|
Should we postpone the specification edits for the map file changes? The PR that implements the map file (TAP 4) hasn't yet been reviewed/merged with the master/develop branch. We can also update the specification in pull request #430. |
|
You could, but realistically, TAP 4 is moving quickly toward acceptance.
We will need to do TAP 7 first, but I hope we will have all approved in the
next two months.
…On Wed, Apr 26, 2017 at 4:33 PM, Vladimir Diaz ***@***.***> wrote:
Should we postpone the specification edits for the map file changes? The
PR that implements the map file (TAP 4) hasn't yet been reviewed/merged
with the master/develop branch. We can also update the specification in
pull request #430 <#430>.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#440 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA0XD72xQXzaW1JYqogQJyFDoqzLeWY2ks5rz6oVgaJpZM4NJOnY>
.
|
docs/tuf-spec.txt
Outdated
|
|
||
| 2. TUF downloads and verifies timestamp.json. | ||
| 1.1. **Check signatures.** The root metadata file must have been signed by |
There was a problem hiding this comment.
I think you should mention key pinning over TOFU for the initial root.json.
There was a problem hiding this comment.
Good idea. Where is it best in the specification to discuss this?
There was a problem hiding this comment.
Also, where in the specification do you think we should use "SHOULD" or "MUST" (ala RFC 2119)?
There was a problem hiding this comment.
For example:
The latest known time should be lower than the expiration timestamp
should say
The latest known time MUST be lower than the expiration timestamp
There was a problem hiding this comment.
Also
The version number of the previous root metadata file must be less than or equal
Should have the "must" in all caps
There was a problem hiding this comment.
As for where to mention pinning vs. TOFU, I think there should be a section before 5.1 maybe called "client design" that mentions this, and then step 1 could specifically say something like "If a client was initialized with a pinned set of root keys, these keys and only these keys MUST be used to validate the original root.json."
There was a problem hiding this comment.
Thanks very much, @heartsucker, will incorporate these suggestions!
|
I have another question on this. I seem to have a chicken and egg problem. Imagine a repo at time T1 with all metadata at versions 1. A client connects and downloads all metadata. At time T2, someone swaps the root metadata keys and all role keys creating all new metadata at versions 2. A client connects at T3 and starts by downloading the timestamp.json. This would be untrusted because the client doesn't know about the version 2 keys. I think this could include the step saying "if timestamp.json is untrusted, the client downloads root.json an rebuilds the chain of trust, returns to the start and attempts to download timestamp.json again repeating the loop." |
|
@heartsucker The first step of the update process should always be updating the root chain, so that trusted keys are up to date. I think the only change needed here is to clarify that "downloading the root" can mean "downloading n roots, until one is reached that is signed by trusted keys" |
|
Very good question, @heartsucker, about not being able to verify timestamp and / or snapshot metadata due to change of keys, and thanks for the response, @ecordell ! Indeed, partly due to our findings from the submitted Mercury draft, we have made updating the root metadata the first and foremost step, so that there are no problems verifying timestamp and / or snapshot metadata from a change of keys (especially after the repository has been compromised, and recovered). This is also the first and foremost step, partly due to TAP 5. |
Client's should validate new root.json according to the threshold and keys set by its previous version. See @heartsucker comment [here](theupdateframework/rust-tuf#42 (comment))
|
@trishankkarthik I think this PR is good enough to merge at the moment. We can address the other points raised in the comments in separate pull requests. Please go ahead and make Documenting the other needed changes to specification...
|
Ideally, the former should be merged with the latter.
|
@vladimir-v-diaz @JustinCappos I agree we should merge. But first, I think we should:
|
|
Okay, I merged reading consistent snapshots with the client update workflow. I also added some other details. Someone else please review to make sure I didn't make mistakes from burning the midnight oil. @vladimir-v-diaz We should fix Section 7.1 (writing consistent snapshots). It seems to have some now inaccurate information. For example, aren't all targets metadata files written as FILENAME.VERSION.EXT instead of FILENAME.DIGEST.EXT? Isn't only the snapshot metadata file written as FILENAME.DIGEST.EXT? The root and timestamp metadata files are written as both FILENAME.EXT and FILENAME.DIGEST.EXT, right? Also, have we decided whether it's (DIGEST|VERSION).FILENAME.EXT or FILENAME.(DIGEST|VERSION).EXT? Thanks! |
|
Okay, I just added that the expiration of the previous root metadata file does not matter, because we will attempt to update it in the next step. |
|
The code expects metadata filenames to be in I think that's the format we last settled on. There were several reasons, one of them being that long digests might exceed the filename limit set by certain filesystems. However, according to Hannes, TAP 8 requires that filenames include the digest. We'll see once the TAP is edited with more detail. |
|
@vladimir-v-diaz Got it. Please feel free to make the change! |
docs/tuf-spec.txt
Outdated
| without requiring all previous root keys to be kept to sign new root.json | ||
| metadata. | ||
|
|
||
| In the event that the keys being updated are root keys, it is important to |
There was a problem hiding this comment.
@vladimir-v-diaz I think this is great! Should we say a bit more about this in Step 1 of Section 5.1?
There was a problem hiding this comment.
I think we should. Do we also explain how to recover from a fast-forward attack?
Note: I just reviewed section 7.1 and it seems accurate to me, at least in regard to filenames. Is there a sentence/statement in particular that is inaccurate?
There was a problem hiding this comment.
Okay, we do mention fast-forward attacks in the revised 1.5 section!
|
I think we might be able to reuse some of @heartsucker's outline of root key migrations here. |
Also corrected how files are fetched.
…f into add-detailed-workflow
|
Okay, so I just worked with @vladimir-v-diaz to update the workflow. Specifically, I added details on how to update to the latest root metadata file (thanks to @ecordell and @heartsucker). @JustinCappos Please review the entire workflow to make sure there are no problems? |
Besides our reference implementation, I do not believe that the TUF specification describes the precise steps that an alternative, compliant implementation should follow to download and verify a target. This PR is a humble attempt at solving this problem.
There are still some details are missing, such as:
Hopefully, I didn't miss something important, or, worse, get something wrong. (I'll blame it on travel lag.) Please take it from here!