@@ -1074,42 +1074,50 @@ repo](https://github.com/theupdateframework/specification/issues).
10741074 still be able to update again in the future. Errors raised during the update
10751075 process should not leave clients in an unrecoverable state.
10761076
1077- ** 5.0** . ** Load the trusted root metadata file.** We assume that a good,
1077+ ** 5.0** . ** Record the time at which the update began.** Add the update
1078+ workflow maximum duration T to the recorded update start time to derive the
1079+ fixed update expiration time. The value for T is set by the authors of the
1080+ application using TUF. For example, T may be tens of minutes.
1081+ This update expiration time will be used when checking for freeze attacks,
1082+ and is fixed at the beginning of the update workflow to prevent metadata
1083+ from expiring during an in-progress update.
1084+
1085+ ** 5.1** . ** Load the trusted root metadata file.** We assume that a good,
10781086 trusted copy of this file was shipped with the package manager or software
10791087 updater using an out-of-band process. Note that the expiration of the
10801088 trusted root metadata file does not matter, because we will attempt to update
10811089 it in the next step.
10821090
1083- ** 5.1 ** . ** Update the root metadata file.** Since it may now be signed using
1091+ ** 5.2 ** . ** Update the root metadata file.** Since it may now be signed using
10841092 entirely different keys, the client MUST somehow be able to establish a
10851093 trusted line of continuity to the latest set of keys (see Section 6.1). To do
10861094 so, the client MUST download intermediate root metadata files, until the
10871095 latest available one is reached. Therefore, it MUST temporarily turn on
10881096 consistent snapshots in order to download _ versioned_ root metadata files as
10891097 described next.
10901098
1091- * ** 5.1 .1** . Let N denote the version number of the trusted root metadata
1099+ * ** 5.2 .1** . Let N denote the version number of the trusted root metadata
10921100 file.
10931101
1094- * ** 5.1 .2** . ** Try downloading version N+1 of the root metadata file** , up to
1102+ * ** 5.2 .2** . ** Try downloading version N+1 of the root metadata file** , up to
10951103 some W number of bytes (because the size is unknown). The value for W is set
10961104 by the authors of the application using TUF. For example, W may be tens of
10971105 kilobytes. The filename used to download the root metadata file is of the
10981106 fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file is
10991107 not available, or we have downloaded more than Y number of root metadata
1100- files (because the exact number is as yet unknown), then go to step 5.1 .9.
1108+ files (because the exact number is as yet unknown), then go to step 5.2 .9.
11011109 The value for Y is set by the authors of the application using TUF. For
11021110 example, Y may be 2^10.
11031111
1104- * ** 5.1 .3. Check for an arbitrary software attack.** Version N+1 of the root
1112+ * ** 5.2 .3. Check for an arbitrary software attack.** Version N+1 of the root
11051113 metadata file MUST have been signed by: (1) a threshold of keys specified in
11061114 the trusted root metadata file (version N), and (2) a threshold of keys
11071115 specified in the new root metadata file being validated (version N+1). If
11081116 version N+1 is not signed as required, discard it, abort the update cycle,
11091117 and report the signature failure. On the next update cycle, begin at step
1110- 5.0 and version N of the root metadata file.
1118+ 5.1 and version N of the root metadata file.
11111119
1112- * ** 5.1 .4. Check for a rollback attack.** The version number of the trusted
1120+ * ** 5.2 .4. Check for a rollback attack.** The version number of the trusted
11131121 root metadata file (version N) MUST be less than or equal to the version
11141122 number of the new root metadata file (version N+1). Effectively, this means
11151123 checking that the version number signed in the new root metadata file is
@@ -1118,24 +1126,24 @@ repo](https://github.com/theupdateframework/specification/issues).
11181126 rollback attack. On the next update cycle, begin at step 5.0 and version N
11191127 of the root metadata file.
11201128
1121- * ** 5.1 .5** . Note that the expiration of the new (intermediate) root metadata
1122- file does not matter yet, because we will check for it in step 5.1 .9.
1129+ * ** 5.2 .5** . Note that the expiration of the new (intermediate) root metadata
1130+ file does not matter yet, because we will check for it in step 5.2 .9.
11231131
1124- * ** 5.1 .6** . ** Set the trusted root metadata file** to the new root metadata
1132+ * ** 5.2 .6** . ** Set the trusted root metadata file** to the new root metadata
11251133 file.
11261134
1127- * ** 5.1 .7** . ** Persist root metadata.** The client MUST write the file to
1135+ * ** 5.2 .7** . ** Persist root metadata.** The client MUST write the file to
11281136 non-volatile storage as FILENAME.EXT (e.g. root.json).
11291137
1130- * ** 5.1 .8** . ** Repeat steps 5.1 .1 to 5.1 .8** .
1138+ * ** 5.2 .8** . ** Repeat steps 5.2 .1 to 5.2 .8** .
11311139
1132- * ** 5.1 .9** . ** Check for a freeze attack.** The latest known time MUST be
1133- lower than the expiration timestamp in the trusted root metadata file
1140+ * ** 5.2 .9** . ** Check for a freeze attack.** The fixed update expiration time
1141+ MUST be lower than the expiration timestamp in the trusted root metadata file
11341142 (version N). If the trusted root metadata file has expired, abort the update
11351143 cycle, report the potential freeze attack. On the next update cycle, begin
11361144 at step 5.0 and version N of the root metadata file.
11371145
1138- * ** 5.1 .10** . ** If the timestamp and / or snapshot keys have been rotated,
1146+ * ** 5.2 .10** . ** If the timestamp and / or snapshot keys have been rotated,
11391147 then delete the trusted timestamp and snapshot metadata files.** This is done
11401148 in order to recover from fast-forward attacks after the repository has been
11411149 compromised and recovered. A _ fast-forward attack_ happens when attackers
@@ -1145,44 +1153,44 @@ repo](https://github.com/theupdateframework/specification/issues).
11451153 paper] ( https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf )
11461154 for more details.
11471155
1148- * ** 5.1 .11** . ** Set whether consistent snapshots are used as per the trusted
1156+ * ** 5.2 .11** . ** Set whether consistent snapshots are used as per the trusted
11491157 root metadata file** (see Section 4.3).
11501158
1151- ** 5.2 ** . ** Download the timestamp metadata file** , up to X number of bytes
1159+ ** 5.3 ** . ** Download the timestamp metadata file** , up to X number of bytes
11521160(because the size is unknown). The value for X is set by the authors of the
11531161application using TUF. For example, X may be tens of kilobytes. The filename
11541162used to download the timestamp metadata file is of the fixed form FILENAME.EXT
11551163(e.g., timestamp.json).
11561164
1157- * ** 5.2 .1** . ** Check for an arbitrary software attack.** The new timestamp
1165+ * ** 5.3 .1** . ** Check for an arbitrary software attack.** The new timestamp
11581166 metadata file MUST have been signed by a threshold of keys specified in the
11591167 trusted root metadata file. If the new timestamp metadata file is not
11601168 properly signed, discard it, abort the update cycle, and report the signature
11611169 failure.
11621170
1163- * ** 5.2 .2** . ** Check for a rollback attack.**
1171+ * ** 5.3 .2** . ** Check for a rollback attack.**
11641172
1165- * ** 5.2 .2.1** . The version number of the trusted timestamp metadata file, if
1173+ * ** 5.3 .2.1** . The version number of the trusted timestamp metadata file, if
11661174 any, MUST be less than or equal to the version number of the new timestamp
11671175 metadata file. If the new timestamp metadata file is older than the
11681176 trusted timestamp metadata file, discard it, abort the update cycle, and
11691177 report the potential rollback attack.
11701178
1171- * ** 5.2 .2.2** . The version number of the snapshot metadata file in the
1179+ * ** 5.3 .2.2** . The version number of the snapshot metadata file in the
11721180 trusted timestamp metadata file, if any, MUST be less than or equal to its
11731181 version number in the new timestamp metadata file. If not, discard the new
11741182 timestamp metadata file, abort the update cycle, and report the failure.
11751183
1176- * ** 5.2 .3** . ** Check for a freeze attack.** The latest known time MUST be
1177- lower than the expiration timestamp in the new timestamp metadata file. If
1178- so, the new timestamp metadata file becomes the trusted timestamp metadata
1179- file. If the new timestamp metadata file has expired, discard it, abort the
1180- update cycle, and report the potential freeze attack.
1184+ * ** 5.3 .3** . ** Check for a freeze attack.** The fixed update expiration time
1185+ MUST be lower than the expiration timestamp in the new timestamp metadata
1186+ file. If so, the new timestamp metadata file becomes the trusted timestamp
1187+ metadata file. If the new timestamp metadata file has expired, discard it,
1188+ abort the update cycle, and report the potential freeze attack.
11811189
1182- * ** 5.2 .4** . ** Persist timestamp metadata.** The client MUST write the file
1190+ * ** 5.3 .4** . ** Persist timestamp metadata.** The client MUST write the file
11831191 to non-volatile storage as FILENAME.EXT (e.g. timestamp.json).
11841192
1185- ** 5.3 ** . ** Download snapshot metadata file** , up to either the number of bytes
1193+ ** 5.4 ** . ** Download snapshot metadata file** , up to either the number of bytes
11861194specified in the timestamp metadata file, or some Y number of bytes. The value
11871195for Y is set by the authors of the application using TUF. For example, Y may be
11881196tens of kilobytes. If consistent snapshots are not used (see
@@ -1192,25 +1200,25 @@ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where
11921200VERSION_NUMBER is the version number of the snapshot metadata file listed in
11931201the timestamp metadata file.
11941202
1195- * ** 5.3 .1** . ** Check against timestamp role's snapshot hash.** The hashes
1203+ * ** 5.4 .1** . ** Check against timestamp role's snapshot hash.** The hashes
11961204 of the new snapshot metadata file MUST match the hashes, if any, listed in
11971205 the trusted timestamp metadata. This is done, in part, to prevent a
11981206 mix-and-match attack by man-in-the-middle attackers. If the hashes do not
11991207 match, discard the new snapshot metadata, abort the update cycle, and report
12001208 the failure.
12011209
1202- * ** 5.3 .2** . ** Check for an arbitrary software attack.** The new snapshot
1210+ * ** 5.4 .2** . ** Check for an arbitrary software attack.** The new snapshot
12031211 metadata file MUST have been signed by a threshold of keys specified in the
12041212 trusted root metadata file. If the new snapshot metadata file is not signed
12051213 as required, discard it, abort the update cycle, and report the signature
12061214 failure.
12071215
1208- * ** 5.3 .3** . ** Check against timestamp role's snapshot version.** The version
1216+ * ** 5.4 .3** . ** Check against timestamp role's snapshot version.** The version
12091217 number of the new snapshot metadata file MUST match the version number listed
12101218 in the trusted timestamp metadata. If the versions do not match, discard the
12111219 new snapshot metadata, abort the update cycle, and report the failure.
12121220
1213- * ** 5.3 .4** . ** Check for a rollback attack.** The version number of the targets
1221+ * ** 5.4 .4** . ** Check for a rollback attack.** The version number of the targets
12141222 metadata file, and all delegated targets metadata files, if any, in the
12151223 trusted snapshot metadata file, if any, MUST be less than or equal to its
12161224 version number in the new snapshot metadata file. Furthermore, any targets
@@ -1219,17 +1227,17 @@ the timestamp metadata file.
12191227 these conditions are not met, discard the new snapshot metadata file, abort
12201228 the update cycle, and report the failure.
12211229
1222- * ** 5.3 .5** . ** Check for a freeze attack.** The latest known time MUST be
1230+ * ** 5.4 .5** . ** Check for a freeze attack.** The latest known time MUST be
12231231 lower than the expiration timestamp in the new snapshot metadata file. If
12241232 so, the new snapshot metadata file becomes the trusted snapshot metadata
12251233 file. If the new snapshot metadata file is expired, discard it, abort the
12261234 update cycle, and report the potential freeze attack.
12271235
12281236
1229- * ** 5.3 .6** . ** Persist snapshot metadata.** The client MUST write the file to
1237+ * ** 5.4 .6** . ** Persist snapshot metadata.** The client MUST write the file to
12301238 non-volatile storage as FILENAME.EXT (e.g. snapshot.json).
12311239
1232- ** 5.4 ** . ** Download the top-level targets metadata file** , up to either the
1240+ ** 5.5 ** . ** Download the top-level targets metadata file** , up to either the
12331241number of bytes specified in the snapshot metadata file, or some Z number of
12341242bytes. The value for Z is set by the authors of the application using TUF. For
12351243example, Z may be tens of kilobytes. If consistent snapshots are not used (see
@@ -1239,66 +1247,66 @@ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where
12391247VERSION_NUMBER is the version number of the targets metadata file listed in the
12401248snapshot metadata file.
12411249
1242- * ** 5.4 .1** . ** Check against snapshot role's targets hash.** The hashes
1250+ * ** 5.5 .1** . ** Check against snapshot role's targets hash.** The hashes
12431251 of the new targets metadata file MUST match the hashes, if any, listed in the
12441252 trusted snapshot metadata. This is done, in part, to prevent a mix-and-match
12451253 attack by man-in-the-middle attackers. If the new targets metadata file does
12461254 not match, discard the new target metadata, abort the update cycle, and
12471255 report the failure.
12481256
1249- * ** 5.4 .2** . ** Check for an arbitrary software attack.** The new targets
1257+ * ** 5.5 .2** . ** Check for an arbitrary software attack.** The new targets
12501258 metadata file MUST have been signed by a threshold of keys specified in the
12511259 trusted root metadata file. If the new targets metadata file is not signed
12521260 as required, discard it, abort the update cycle, and report the failure.
12531261
1254- * ** 5.4 .3** . ** Check against snapshot role's targets version.** The version
1262+ * ** 5.5 .3** . ** Check against snapshot role's targets version.** The version
12551263 number of the new targets metadata file MUST match the version number listed
12561264 in the trusted snapshot metadata. If the versions do not match, discard it,
12571265 abort the update cycle, and report the failure.
12581266
1259- * ** 5.4 .4** . ** Check for a freeze attack.** The latest known time MUST be
1267+ * ** 5.5 .4** . ** Check for a freeze attack.** The latest known time MUST be
12601268 lower than the expiration timestamp in the new targets metadata file. If so,
12611269 the new targets metadata file becomes the trusted targets metadata file. If
12621270 the new targets metadata file is expired, discard it, abort the update cycle,
12631271 and report the potential freeze attack.
12641272
1265- * ** 5.4 .5** . ** Persist targets metadata.** The client MUST write the file to
1273+ * ** 5.5 .5** . ** Persist targets metadata.** The client MUST write the file to
12661274 non-volatile storage as FILENAME.EXT (e.g. targets.json).
12671275
1268- * ** 5.4 .6** . ** Perform a pre-order depth-first search for metadata about the
1276+ * ** 5.5 .6** . ** Perform a pre-order depth-first search for metadata about the
12691277 desired target, beginning with the top-level targets role.** Note: If
1270- any metadata requested in steps 5.4 .6.1 - 5.4 .6.2 cannot be downloaded nor
1278+ any metadata requested in steps 5.5 .6.1 - 5.5 .6.2 cannot be downloaded nor
12711279 validated, end the search and report that the target cannot be found.
12721280
1273- * ** 5.4 .6.1** . If this role has been visited before, then skip this role
1281+ * ** 5.5 .6.1** . If this role has been visited before, then skip this role
12741282 (so that cycles in the delegation graph are avoided). Otherwise, if an
12751283 application-specific maximum number of roles have been visited, then go to
1276- step 5.5 (so that attackers cannot cause the client to waste excessive
1284+ step 5.6 (so that attackers cannot cause the client to waste excessive
12771285 bandwidth or time). Otherwise, if this role contains metadata about the
1278- desired target, then go to step 5.5 .
1286+ desired target, then go to step 5.6 .
12791287
1280- * ** 5.4 .6.2** . Otherwise, recursively search the list of delegations in
1288+ * ** 5.5 .6.2** . Otherwise, recursively search the list of delegations in
12811289 order of appearance.
12821290
1283- * ** 5.4 .6.2.1** . If the current delegation is a multi-role delegation,
1291+ * ** 5.5 .6.2.1** . If the current delegation is a multi-role delegation,
12841292 recursively visit each role, and check that each has signed exactly the
12851293 same non-custom metadata (i.e., length and hashes) about the target (or
12861294 the lack of any such metadata).
12871295
1288- * ** 5.4 .6.2.2** . If the current delegation is a terminating delegation,
1296+ * ** 5.5 .6.2.2** . If the current delegation is a terminating delegation,
12891297 then jump to step 5.5.
12901298
1291- * ** 5.4 .6.2.3** . Otherwise, if the current delegation is a
1299+ * ** 5.5 .6.2.3** . Otherwise, if the current delegation is a
12921300 non-terminating delegation, continue processing the next delegation, if
1293- any. Stop the search, and jump to step 5.5 as soon as a delegation
1301+ any. Stop the search, and jump to step 5.6 as soon as a delegation
12941302 returns a result.
12951303
1296- ** 5.5 ** . ** Verify the desired target against its targets metadata** .
1304+ ** 5.6 ** . ** Verify the desired target against its targets metadata** .
12971305
1298- * ** 5.5 .1** . If there is no targets metadata about this target, abort the
1306+ * ** 5.6 .1** . If there is no targets metadata about this target, abort the
12991307 update cycle and report that there is no such target.
13001308
1301- * ** 5.5 .2** . Otherwise, download the target (up to the number of bytes
1309+ * ** 5.6 .2** . Otherwise, download the target (up to the number of bytes
13021310 specified in the targets metadata), and verify that its hashes match the
13031311 targets metadata. (We download up to this number of bytes, because in some
13041312 cases, the exact number is unknown. This may happen, for example, if an
@@ -1310,7 +1318,7 @@ snapshot metadata file.
13101318 (e.g.,
13111319 c14aeb4ac9f4a8fc0d83d12482b9197452f6adf3eb710e3b1e2b79e8d14cb681.foobar.tar.gz),
13121320 where HASH is one of the hashes of the targets file listed in the targets
1313- metadata file found earlier in step 5.4 . In either case, the client MUST write
1321+ metadata file found earlier in step 5.5 . In either case, the client MUST write
13141322 the file to non-volatile storage as FILENAME.EXT.
13151323
13161324## ** 6. Usage**
@@ -1347,7 +1355,7 @@ snapshot metadata file.
13471355 repository. This ensures that an outdated client can always correctly
13481356 re-trace the chain of trust across multiple root key updates, even if the
13491357 latest set of root keys on the client dates back multiple root metadata
1350- versions. See step 5.1 of the client application workflow for more details.
1358+ versions. See step 5.2 of the client application workflow for more details.
13511359
13521360 Note that an attacker, who controls the repository, can launch freeze
13531361 attacks by withholding new root metadata. The attacker does not need to
0 commit comments