search

appc / spec

App Container Specification and Tooling (archived, see https://github.com/rkt/rkt/issues/4024)
Apache License 2.0
1.26k stars 146 forks source link

spec: For security of authentication, an image needs to sign deprecated parents #168

Open alexanderkjeldaas opened 9 years ago

alexanderkjeldaas commented 9 years ago

Signatures on an image is in itself not enough to verify that an image is proper. Signatures do not defend against downgrade attacks.

However, embedding a "parent pointer", like in a git commit, and then signing the result makes it possible to build a DAG where some images, by being pointed to by other images, are deemed to be obsolete or insecure.

The "parent pointers" that are needed in the manifest to do authentication securely, and not have downgrade attacks, are "deprecates: [list of images]".

philips commented 9 years ago

@alexanderkjeldaas I think this is a good idea to explore. Would you mind writing up some example use cases and perhaps a patch to the SPEC.md?