Description
This text has been modified a lot (see #209 for latest) but the root update section of client workflow is still difficult for new readers:
5. Check for a rollback attack. The version number of the trusted root metadata file (version N) MUST be less than the version number of the new root metadata file (version N+1). Effectively, this means checking that the version number signed in the new root metadata file is indeed N+1. If the version of the new root metadata file is less than the version of the trusted metadata file, discard it, abort the update cycle, and report the rollback attack. In case they are equal, again discard the new root metadata, but proceed the update cycle with the already trusted root metadata.
This is still very long and not super clear. Examples:
- what does "proceed the update cycle" mean? (I'm pretty sure it means go to 5.3.10 but it's not obvious to a new reader)
- what if new version is N+2? It almost sounds like this would be ok by the spec but it doesn't make sense: the only valid version number is N+1
Why don't we just say that only accepted version is N+1, everything else should be an error (because we tried to download N+1 and were given something else)?