Handle historical Sigsum policies #34
Description
Consider a Sigsum policy at submit time which contains, for simplicity, just trust on a single witness. The witness is online, the submission succeeds, and we store a new verification file.
*time passes*
The witness is now no longer running. We change the security policy in tkey-verify to no longer demand signatures from that witness.
A user now purchases the TKey corresponding to verification file mentioned above, containing the now offline witness. Our new security policy doesn't mention this witness at all.
Verification fails. User is frustrated.
How do we handle this?
- We probably don't want to keep witnesses known to be offline in the security policy for
tkey-verify, right? - Keep a set of historical policies and use the right policy according to the time when the verification file was created (or the timestamps from the witnesses in it?)