Added TAP for TUF Version Management #107
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joshuagl I added a deprecation field as discussed. A couple of notes:
deprecation_timestamp, so am open to any clearer or shorter name suggestionsThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not putting this in root seems sensible. Is Targets the best role to include this in? Would the Snapshot make more sense? Or are you trying to avoid having this in metadata which will often be signed by online keys?
Regarding the name, would
becomes_obsoletework better? It's not shorter, but may be clearer?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went with targets instead of snapshot/timestamp mostly to allow the field to differ in delegated targets. The only attack that I can think of on this field would be a denial of service (or convincing a client to upgrade early, but it's hard to imagine that being a successful attack), so the online keys shouldn't be too much of a problem. However in this design delegated targets may use a different TUF specification version than the top-level metadata, so having this field for each targets metadata file seems useful. For example an individual delegated targets file could stop supporting version 1.x before the top-level metadata, so this field would allow them to indicate this change to the client.
I like
becomes_obsolete, I'll update that in the text.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yes. I forgot about the desire to support different metadata versions in delegated targets.
I was thinking it might make more sense in an earlier role in the client workflow. If we have root, timestamp or snapshot metadata which has expired a client can't know whether that's because the metadata is obsolete, or whether something else happened (because we check the expiration on root, timestamp and snapshot and abort if the expiration has passed long before we ever download targets).
My hope was that this metadata field would
becomes_obsoletein targets metadatabecomes_obsoletein targets metadataThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could also add this field to the timestamp metadata to address case 2 (with the caveat that this would not help if root metadata expires). This would also ensure that the client checks this field even if no target files have been updated (when they might not download targets metadata).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still have reservations about this not being in the root metadata – how do clients detect unintentionally expired root metadata (or an attack) vs. obsolete root metadata? Or, phrased differently, how does a client know when updates may be available, just at a different end-point, versus updates being unavailable?
I acknowledge your concerns about including
becomes_obsoletein the root metadata being harder to manage. Updating metadata specification versions is a big thing, but should it require a quorum of the root signers and their offline keys? 🤷The reason I keep belabouring this point is because, to my mind, this is an aspect of TUF's freshness security design principle. The TUF website states that:
I'd argue that's not possible if the client can't detect the difference between root metadata expiring and root metadata being marked as obsolete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've read and thought about this and I can see why we're having an extended discussion on this point. I think this is a hard decision.
If you believe the repository is the arbiter of truth and trust, then keeping it in the root role makes sense. This does effectively let the repository's root role deprecate large swaths of targets files though. This can be good or bad.
If you think that the developer keys (targets metadata files) are what should be trusted, then having a field in targets makes sense. (I would argue for version number instead of timestamp since there isn't a global clock / sync requirement for most of TUF except perhaps to print a warning about outdated timestamp metadata.) This allows parties that delegate make the choice about what versions of metadata are alright. I do feel like this option means that no one will ever use this and that old metadata will be kept around indefinitely, because I just can't see developers worrying about using this flag...
Anyways, this is just my brain dump on the subject...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Root metadata is designed to expire fairly infrequently, so clients would have a long time (potentially a year or more) to notice the
becomes_obsoletefield in timestamp metadata. However, I agree that updating the specification should be done with the knowledge of the root signers, so maybe including this field in root might be reasonable as it is rarely updated.I think regardless of whether this field goes in timestamp or root, it also needs to exist in targets metadata for this reason. In this design delegated targets metadata can use a different specification version than the top-level roles, so they need their own way to indicate deprecation. This is especially important when targets metadata is replicated across multiple repositories.
This may be another argument in favor of putting this field in root. Root metadata is always versioned whereas timestamp metadata is only versioned if consistent snapshots are used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that true? The detailed client workflow in the latest spec states:
I'm not sure how checking for a
becomes_obsoletedate in the metadata is any different from the requirement here to abandon an update if the root metadata file appears to have expired?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking about this more, I think that a timestamp might be more useful to clients than a version number as it allows them to make a plan for upgrading, especially in airgapped environments or anywhere else when upgrading might take some planning.
So, per this discussion I will update the TAP to include the becomes_obsolete field in root and targets, and leave its contents as the timestamp for now. This field is optional so if updating root or using a timestamp is an issue, it could be left out.