assertion.undeclared is unreferenced

[faceless2]

The error code assertion.undeclared is described as

An assertion was found in the ingredient’s manifest that was not explicitly declared in the ingredient’s claim.

But this requirement - which, when combined with assertion.missing effectively means the list of assertions in a manifest must be identical to the list of assertions in the manifest's claim - is not listed in the validation steps; assertion.undeclared is not referenced elsewhere in the spec.

Is this an actual current validation requirement, or is this error code a legacy from an now-dropped validation step?

[kevinmkane]

You are correct: this is not a validation requirement. We never required it, although the presence of the status code shows we considered it, and recommend all assertions be referenced. But we couldn't identify any security risk from there being extraneous assertions in the assertion store; it's just wasted space. Validating this requirement would require a separate pass over the assertion store and matching of its contents to the assertions array in the claim. This seemed like a lot of extra work for no benefit, so we did not require it.