Skip to content

Commit a961fe0

Browse files
vladimir-v-diazvladimir-v-diaz
committed
Revise the remaining steps that needed to report failures
Signed-off-by: Vladimir Diaz <[email protected]>
1 parent 39cfb0e commit a961fe0

File tree

1 file changed

+24
-11
lines changed

1 file changed

+24
-11
lines changed

tuf-spec.md

Lines changed: 24 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1077,7 +1077,8 @@ used to download the timestamp metadata file is of the fixed form FILENAME.EXT
10771077
* **2.3**. **Check for a freeze attack.** The latest known time should be
10781078
lower than the expiration timestamp in the new timestamp metadata file. If
10791079
so, the new timestamp metadata file becomes the trusted timestamp metadata
1080-
file.
1080+
file. If the new timestamp metadata file has expired, discard it and report
1081+
the potential freeze attack.
10811082

10821083
**3**. **Download snapshot metadata file**, up to the number of bytes specified
10831084
in the timestamp metadata file. If consistent snapshots are not used (see
@@ -1090,10 +1091,13 @@ non-volatile storage as FILENAME.EXT.
10901091

10911092
* **3.1**. **Check against timestamp metadata.** The hashes and version number
10921093
of the new snapshot metadata file MUST match the hashes and version number
1093-
listed in timestamp metadata.
1094+
listed in timestamp metadata. If hashes and version do not match, discard
1095+
the new snapshot metadata and report the failure.
10941096

1095-
* **3.2**. **Check signatures.** The snapshot metadata file MUST have been
1096-
signed by a threshold of keys specified in the trusted root metadata file.
1097+
* **3.2**. **Check signatures.** The new snapshot metadata file MUST have
1098+
been signed by a threshold of keys specified in the trusted root metadata
1099+
file. If the new snapshot metadata file is not signed as required, discard
1100+
it and report the signature failure.
10971101

10981102
* **3.3**. **Check for a rollback attack.**
10991103

@@ -1103,19 +1107,22 @@ non-volatile storage as FILENAME.EXT.
11031107

11041108
* **3.3.2**. The version number of the trusted snapshot metadata file, if
11051109
any, MUST be less than or equal to the version number of the new snapshot
1106-
metadata file.
1110+
metadata file. If the new snapshot metadata file is older than the trusted
1111+
metadata file, discard it and report the potential rollback attack.
11071112

11081113
* **3.3.3**. The version number of the targets metadata file, and all
11091114
delegated targets metadata files (if any), in the trusted snapshot metadata
11101115
file, if any, MUST be less than or equal to its version number in the new
11111116
snapshot metadata file. Furthermore, any targets metadata filename that was
11121117
listed in the trusted snapshot metadata file, if any, MUST continue to be
1113-
listed in the new snapshot metadata file.
1118+
listed in the new snapshot metadata file. If any of these conditions are
1119+
not met, discard the new snaphot metadadata file and report the failure.
11141120

11151121
* **3.4**. **Check for a freeze attack.** The latest known time should be
11161122
lower than the expiration timestamp in the new snapshot metadata file. If
11171123
so, the new snapshot metadata file becomes the trusted snapshot metadata
1118-
file.
1124+
file. If the new snaphshot metadata file is expired, discard it and report
1125+
the potential freeze attack.
11191126

11201127
**4**. **Download the top-level targets metadata file**, up to either the
11211128
number of bytes specified in the snapshot metadata file, or some Z number of
@@ -1131,19 +1138,25 @@ non-volatile storage as FILENAME.EXT.
11311138
* **4.1**. **Check against snapshot metadata.** The hashes (if any), and
11321139
version number of the new targets metadata file MUST match the trusted
11331140
snapshot metadata. This is done, in part, to prevent a mix-and-match attack
1134-
by man-in-the-middle attackers.
1141+
by man-in-the-middle attackers. If the new targets metadata file does not
1142+
match, discard it and report the failure.
11351143

11361144
* **4.2**. **Check for an arbitrary software attack.** The new targets
11371145
metadata file MUST have been signed by a threshold of keys specified in the
1138-
trusted root metadata file.
1146+
trusted root metadata file. If the new targets metadat file is not signed
1147+
as required, discard it and report the failure.
11391148

11401149
* **4.3**. **Check for a rollback attack.** The version number of the trusted
11411150
targets metadata file, if any, MUST be less than or equal to the version
1142-
number of the new targets metadata file.
1151+
number of the new targets metadata file. If the new targets metadata file
1152+
is older than the trusted targets metadata file, discard it and report
1153+
the potential rollback attack.
11431154

11441155
* **4.4**. **Check for a freeze attack.** The latest known time should be
11451156
lower than the expiration timestamp in the new targets metadata file. If so,
1146-
the new targets metadata file becomes the trusted targets metadata file.
1157+
the new targets metadata file becomes the trusted targets metadata file. If
1158+
the new targets metadata file is expired, discard it and report the potential
1159+
freeze attack.
11471160

11481161
* **4.5**. **Perform a preorder depth-first search for metadata about the
11491162
desired target, beginning with the top-level targets role.** Note: If

0 commit comments

Comments
 (0)