Update threat model to include rollback attack (#285)

* Update threat model to add rollback attack Signed-off-by: Pritesh Bandi <priteshbandi@gmail.com>
notaryproject · Nov 23, 2023 · cdabdd1 · cdabdd1
1 parent a3d1158
commit cdabdd1
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/threatmodels/notation-threatmodel.md b/threatmodels/notation-threatmodel.md
@@ -87,3 +87,4 @@ The certificates trusted by the verifier are stored in Notation trust store in t
 | Malicious signature faking to be signed by a signing authority | Tampering      | Mitigated | High   | Notation     | Unlike notary.x509 signing scheme, trusted timestamps are not checked against RFC#3161 TSA servers for notary.x509.signingAuthority signing scheme. An attacker can use this and bypass trusted timestamp checks by crafting a signature that uses notary.x509 keys but with signingAuthority as the signing scheme. | To prevent this threat, notary.x509.signingAuthority signing scheme requires trusted roots to be present in a trust store type called signingAuthority as opposed to CA trust store type for notary.x509 signing scheme |
 | Inaccessible OCSP Responder                                    | Denial of Service      | Not Mitigated | High     | OCSP Responder  | OCSP Responder is not able to service incoming requests or perform up to spec, thus users are unable to validate certificate revocation status | It cannot be mitigated, since revocation status should be retrieved from OCSP responder, which requires network access. Notation verification should fail if revocation check is configured as `enforced` and OCSP responder is inaccessible. Users can configure trust policy to log or skip revocation check if OCSP responder is not reliable. |
 | Compromised Notation dependencies                              | Tampering              | Mitigated | High     | Notation       | The dependencies that built into Notation binary was compromised, this may lead to arbitrary code being executed | Notation keeps dependencies up-to-date and adds new dependency after careful consideration and only if it's absolutely required. Always use static build instead of dynamic linking |
+| Rollback Attack                              | Tampering              | Mitigated | High     | Notation       | Attacker can exploit a compromised repository to return outdated vulnerable artifacts | Signer can employ short signature expiration periods (and periodically re-sign artifacts) or revoke outdated vulnerable artifacts |