Using timeout as the restricting mechanism fo signature verification

Question

Using timeout as the restricting mechanism fo signature verification

priteshbandi opened this issue 2 years ago · comments

    had a discussion with @gokarnm on this and he suggested using timeout as the restricting mechanism which sounds more appt here.

We should also modify the VerificationOutcome behavior to return only successful signature verification outcome.

cc: @shizhMSFT @rgnote

Originally posted by @priteshbandi in #191 (comment)

Pritesh Bandi · Answer 1 · Sat Nov 12 2022 05:14:07 GMT+0800 (China Standard Time)

The idea here is to have a configurable default timeout for verify command and once we have reached that limit and havent found successful verification we will fail verification command.

Pritesh Bandi · Answer 2 · Sat Nov 12 2022 05:49:40 GMT+0800 (China Standard Time)

Also, we might want to pull in #197 to RC1 which would provide cushion for verification timeout

Shiwei Zhang · Answer 3 · Sat Nov 12 2022 10:34:30 GMT+0800 (China Standard Time)

The idea here is to have a configurable default timeout for verify command and once we have reached that limit and havent found successful verification we will fail verification command.

The default timeout is hard to decide as we also need to consider network and CPU constraints. Basically, clients with better network and CPU power can verify more signatures and thus can further process the artifacts. Therefore, the verification result of artifacts is not deterministic if two clients verify the same artifact at the same time even the remote server returns the same response. It impacts the availability.

It seems more reasonable to limit the number of signatures attempted. At least, we are able to verify one signature.

Besides, I have no concerns to return successful outcome only.

Patrick Zheng · Answer 4 · Sat Nov 12 2022 14:49:25 GMT+0800 (China Standard Time)

@shizhMSFT @priteshbandi in terms of only returning successful outcome, the change is included in PR #186 along with the refactoring of the verifier package. PTAL.
As for issue #197, I think we could create a new PR for it after the refactoring work of notation-go is done.

Yi Zha · Answer 5 · Mon Nov 14 2022 14:42:31 GMT+0800 (China Standard Time)

My two cents:

#186 (comment)

Yi Zha · Answer 6 · Tue Nov 15 2022 10:03:23 GMT+0800 (China Standard Time)

Per community discussions:

notation-go supports both options: timeout for verification and Max Signature Attempts
No default values configured in notation-go library. Requiring notation CLI or other library user to pass the values into the library
Need further alignment on the notation CLI default behavior, like what is the default option, what is the default value, and how user can change it. (We could create an issue to track it)
@priteshbandi @shizhMSFT @patrickzheng200 @toddysm any comments?

vaninrao10 · Answer 7 · Sat Nov 19 2022 00:27:59 GMT+0800 (China Standard Time)

Define the CLI behavior and defaults in RC1 and implementation can be moved to RC2. The scenarios to be addressed will be as shown below but this is not the exhaustive list, but can be thought through more about it.

What will happen if user specify only timeout? Will they still be restricted by number of signatures?
What will happen if user specify only max number of signature? Will they still be restricted by default timeout?
What if user specified both max number of signature and timeout?
After we have answered above questions and more, next question would be whats the default values ? Once the behavior is discussed, update the Spec as part of RC1.

Yi Zha · Answer 8 · Tue Nov 22 2022 11:28:21 GMT+0800 (China Standard Time)

This issue will be split to three issues

Keep current issue for the timeout solution
Create a new issue for the maximum number of signatures solution. #212
Create a new issue for VerificationOutcome behavior. #214