Skip to content

Commit fe1f4ac

Browse files
mnm678mnm678
committed
Add section for client interaction with auditors
Add a section that describes a few options for how clients can verify that a Merkle tree has been verified by an auditor. Signed-off-by: Marina Moore <[email protected]>
1 parent 5d62196 commit fe1f4ac

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

tap16.md

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -169,18 +169,32 @@ Alternatively, the repository may provide auditors with information about the
169169
contents and ordering of leaf nodes so that the auditors can more efficiently
170170
verify the entire tree.
171171

172-
Auditors may provide an additional signature for timestamp metadata that
173-
indicates that they have verified the contents of the Merkle tree whose root
174-
is in that timestamp file. Using this signature, clients can check whether a
175-
particular third party has approved the Merkle tree.
176-
177172
An auditor should validate all versions of the Merkle tree signed by the
178173
current timestamp key. For fast-forward attack recovery, the auditor should
179174
not check for a rollback attack after the timestamp key
180175
has been replaced. This means that all new auditors should check the Merkle
181176
trees signed with the current timestamp keys before attesting to the validity
182177
of the current Merkle tree.
183178

179+
## Client interaction with auditors
180+
181+
Clients must ensure that snapshot Merkle trees have been verified by an auditor.
182+
To do so, implementations may use a few different mechanisms:
183+
184+
* Auditors may provide an additional signature for timestamp metadata that
185+
indicates that they have verified the contents of the Merkle tree whose root
186+
is in that timestamp file. Using this signature, clients can check whether a
187+
particular third party has approved the Merkle tree. To use this mechanism,
188+
the auditor's key should be included in the root metadata.
189+
190+
* Auditors may host a list of verified Merkle roots for a given repository,
191+
signed by the auditor's key. Clients may be configured with the auditor's key,
192+
or get it from the root metadata.
193+
194+
* Clients may use a secure API to verify that a given Merkle root has been
195+
verified by an auditor. This API should provide compromise resilience similar to
196+
TUF's root metadata.
197+
184198
## Garbage collection
185199

186200
When a threshold of timestamp keys are revoked and replaced, the repository no

0 commit comments

Comments
 (0)