Full Verification algorithm does not verify delegated roles (5.4.4.2:11.2)
Closed this issue · 3 comments
While the algorithm in 5.4.4.2 seems to correctly capture verification of the top-level metadata roles (root, timestamp, snapshot, targets), it does not seem to include verification for delegated targets roles, which must be verified based on a traversal of the graph of delegations in step 11.2.
There's a lot of discussion about this in TUF issue 660, if you want a deeper dive. I'll try for a short version:
The naive and incorrect way to verify delegated roles is to verify the role when it is first needed, based on the delegation that first brought you to it, and to treat the role as verified from then on. This treats it like a top-level role (timestamp, snapshot, targets, root). The trouble is that top-level roles can always be verified based on what the root role says, but delegated roles don't have a single definitive source for the information necessary to verify them. Two different delegated roles A and B can both delegate to role C, and those two separate delegations can indicate different paths (and/or hardware IDs) and indicate different thresholds and sets of keys (Perhaps one is a subset of the other, perhaps not.). There is no meaning to the notion of verifying delegated role C except in the context of a particular path through the delegation graph, and that verification can look different if you come to it from role A vs role B first. If you want target info for image 1.tgz, you walk the graph of delegations and can verify each role you encounter based on the delegation that brought you to it. If you're not walking the graph, there are no rules for verifying delegated roles (unlike the top-level roles, which are all specified directly by root).
So the naive and correct and inefficient way to do this is to verify a delegated role every time you encounter it while traversing the delegation graph. You could improve this by caching verification status indexed by delegation paths, or in any number of ways, but you cannot assume that every delegated role file can be verified once regardless of the structure of the delegation graph.
I've opened a PR (#81) that specifies the "naïve and correct and inefficient way". I'm hoping to close this off, just so we don't have such a big backlog of issues.
I am all for closing these issues as soon as we can, as long as any "loose threads" are captured somewhere.
Lois