[TAP 8] Describe DoS attack and prevention

[mnm678]

No description provided.

[kipz]

@mnm678 it looks like you're thinking this is something that implementors can choose mitigate, but couldn't this be a formal part of the spec; that is, put the limit in the metadata and make it so the client MUST fail if the number of revocation files is greater than the limit?

[JustinCappos]

I would tend to agree that at a minimum, the existence of a limit and discussion around this should be in the document.

Note that if there is a limit, what if some clients have a different limit than others? This will cause a divergence in views of the repo. So this almost certainly needs to be a per-repository setting based upon information in the root metadata.

[kipz]

Makes sense.

I think this differs from the similar attack mentioned in #37 whereby any key holder can upload several different versions of the same metadata file. A revocation limit is something that could be defined ahead of time, whereas the number of metadata file versions really is unknown.

[mnm678]

I added some text about this. I think it can be addressed at the repository side by limiting uploads of rotate files after a certain point. This allows the repository to set the limit based on their available storage/hosting resources, and to share this limit with all clients.