Skip to content

Commit 39cfb0e

Browse files
vladimir-v-diazvladimir-v-diaz
committed
Revisions up to section 2.2
Signed-off-by: Vladimir Diaz <[email protected]>
1 parent b894be8 commit 39cfb0e

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

tuf-spec.md

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1020,13 +1020,18 @@ repo](https://github.com/theupdateframework/specification/issues).
10201020
* **1.3. Check signatures.** Version N+1 of the root metadata file MUST have
10211021
been signed by: (1) a threshold of keys specified in the trusted root
10221022
metadata file (version N), and (2) a threshold of keys specified in the new
1023-
root metadata file being validated (version N+1).
1023+
root metadata file being validated (version N+1). If version N+1 is not
1024+
signed as required, discard it and report the signature failure. On the
1025+
next update cycle, begin at step 0 and version N of the root metadata
1026+
file.
10241027

10251028
* **1.4. Check for a rollback attack.** The version number of the trusted
10261029
root metadata file (version N) must be less than or equal to the version
10271030
number of the new root metadata file (version N+1). Effectively, this means
10281031
checking that the version number signed in the new root metadata file is
1029-
indeed N+1.
1032+
indeed N+1. If the new root metadata file is less than the trusted metadat
1033+
file, discard it and report the rollback attack. On the next update cycle,
1034+
begin at step 0 and version N of the root metadata file.
10301035

10311036
* **1.5**. Note that the expiration of the new (intermediate) root metadata
10321037
file does not matter yet, because we will check for it in step 1.8.
@@ -1037,7 +1042,10 @@ repo](https://github.com/theupdateframework/specification/issues).
10371042
* **1.7**. **Repeat steps 1.1 to 1.7**.
10381043

10391044
* **1.8**. **Check for a freeze attack.** The latest known time should be
1040-
lower than the expiration timestamp in the trusted root metadata file.
1045+
lower than the expiration timestamp in the trusted root metadata file
1046+
(version N). If the trusted root metadata file has expired, report the
1047+
potential freeze attack. On the next update cycle, begin at step 0 and
1048+
version N of the root metadata file.
10411049

10421050
* **1.9**. **If the timestamp and / or snapshot keys have been rotated, then
10431051
delete the trusted timestamp and snapshot metadata files.** This is done in
@@ -1057,11 +1065,14 @@ used to download the timestamp metadata file is of the fixed form FILENAME.EXT
10571065

10581066
* **2.1**. **Check signatures.** The new timestamp metadata file must have
10591067
been signed by a threshold of keys specified in the trusted root metadata
1060-
file.
1068+
file. If the new timestamp metadata file is not properly signed, discard it
1069+
and report the signature failure.
10611070

10621071
* **2.2**. **Check for a rollback attack.** The version number of the trusted
10631072
timestamp metadata file, if any, must be less than or equal to the version
1064-
number of the new timestamp metadata file.
1073+
number of the new timestamp metadata file. If the new timestamp metadata
1074+
file is older than the trusted timestamp metadata file, discard it and report
1075+
the potential rollback attack.
10651076

10661077
* **2.3**. **Check for a freeze attack.** The latest known time should be
10671078
lower than the expiration timestamp in the new timestamp metadata file. If

0 commit comments

Comments
 (0)