feat(spec): Trust Manifest threat modeling review - suggested updates.#47
feat(spec): Trust Manifest threat modeling review - suggested updates.#47muscariello wants to merge 1 commit into
Conversation
muscariello
commented
Jun 21, 2026
- Require a present Trust Manifest to carry a substantive member (signature, attestations, provenance, or trustSchema); ADR-0015.
- Add a substrate-neutral distribution-mapping contract with OCI and xRegistry bindings; ADR-0014.
|
Preview: https://ai-catalog.io/pr/47/ This comment is updated automatically while the pull request preview is available. |
|
@darrelmiller @mindpower I went through a threat modeling session on the trust manifest. This is the set of modifications that I suggest to address some of the comments by Pamela and others. I did not do an accurate analysis since quite some time and if we want to get to v1 this is necessary. |
ramizpolic
left a comment
There was a problem hiding this comment.
This PR can also resolve the issue (Support multiple identities per catalog entry #52) depending if we have a decision. It may be useful extend this PR to include multiple trustmanifests, which would address both the concerns around identity and threat modelling in one go.
…pings - Require a present Trust Manifest to carry a substantive member (signature, attestations, provenance, or trustSchema); ADR-0015. - Add a substrate-neutral distribution-mapping contract with OCI and xRegistry bindings; record ADR-0014. Signed-off-by: Luca Muscariello <muscariello@ieee.org>
9dd4450 to
58597c3
Compare
|
I've implemented what this PR specifies end to end, because I wanted TomeVault's own catalog signed this way rather than waiting for v1, so I can offer some evidence from the implementing side. The subject binding closes the substitution case cleanly. Our vector suite runs the swap both ways, a validly signed pre-binding manifest accepts a substituted artifact, and the same swap fails once Three things bit me on the way through, offered as notes rather than review findings. The one that genuinely blocks a conformant implementation is a field-name mismatch the binding check depends on. The Catalog Entry prose defines the artifact's media type as F7 can be satisfied by a fetch that still fails two ways, and I know because ours did: a rebind between the address check and the connection, and a redirect off a validated URL into somewhere private. Resolving once, pinning the connection to the validated address, and refusing redirects closed both, and it may be worth the ADR saying that much, because "validate the target" reads as satisfied by a one-time check in front of an ordinary HTTP client. The large-integer caveat is real in practice too. An integer outside the JCS-safe range throws mid-canonicalisation, so a verifier has to catch that and return a rejection instead of letting it surface as an internal error. If a reference verifier, or the threat-model document ADR-0014 points at (trust-manifest-threat-model.md isn't in the repo yet), would help this land, I'm glad to contribute either. The reason we lean on this PR so hard is that the attestations we attach are quality and consistency claims about content that drifts, and that kind of claim only means anything bound to the exact bytes it was made about. Once this lands I'd like to bring an attestation type for measured quality and consistency, but that's a follow-up and this PR comes first. |