Explain why we check hashes before signatures #142
Conversation
There was a problem hiding this comment.
Thanks for clarifying this, @trishankatdatadog. I wonder if we can make it more concise.
It is safe to check the hashes before the signatures, because the hashes comes from the timestamp role, which we have already verified in the previous step
feels a bit redundant to
hashes ... listed in the trusted timestamp metadata
Maybe it's enough to just expand what's already there, e.g.
hashes ... listed in the above/previously/already verified and thus trusted timestamp metadata
?
On the other hand, it seems worthwhile to elaborate on the
quick way to reject bad metadata
What about something along the lines of
preliminary integrity check before performing a more expensive signature verification
?
Besides, should this be part of the spec or is it rather a contender for secondary literature (#91)?
|
Sounds good, I will address your comments. In the meantime, I think we should add this to the spec, because that's where the question came up for php-tuf while implementing, but I'll let @tedbow decide. |
|
I agree that the spec is a good place for this, at least until we have the secondary literature. There are other parts of the spec where we explain why things are they way they are, such as the recently introduced fixed update start time. |
trishankatdatadog
force-pushed
the
trishankatdatadog/explain-why-check-hashes-first
branch
from
320ba2f to
8091c5a
Compare
Signed-off-by: Trishank Karthik Kuppusamy <[email protected]> bump version
trishankatdatadog
force-pushed
the
trishankatdatadog/explain-why-check-hashes-first
branch
from
003b748 to
5107517
Compare
Co-authored-by: Joshua Lock <[email protected]>
Co-authored-by: Joshua Lock <[email protected]>
An attempt to fix #138
Does this look good @tedbow?
Signed-off-by: Trishank Karthik Kuppusamy [email protected]