follow spec wrt tree head age

Allow for 10s of clock drift too.

Bug reported by rgdd.

2 files changed, 5 insertions, 14 deletions

diff --git a/issues/update-timestamp-verification.md b/issues/update-timestamp-verification.md
deleted file mode 100644
index e804856..0000000
--- a/issues/update-timestamp-verification.md
+++ /dev/null
@@ -1,10 +0,0 @@
-**Title**: Update timestamp verification
-**Date**: 2021-12-08
-
-# Summary
-Update the condition which is used to determine whether a tree head is fresh.
-
-# Description
-The current Sigsum API documentation specifies that a witness must not sign a
-tree head if its timestamp is older than five minutes.  The current witness
-implementation uses an older interval that was looser: +- 12 hours.
diff --git a/sigsum-witness.py b/sigsum-witness.py
index 730c6b8..2be3f3a 100755
--- a/sigsum-witness.py
+++ b/sigsum-witness.py
@@ -164,12 +164,13 @@ class TreeHead:
     def timestamp_valid(self, now):
         ts_sec = self.timestamp
         ts_asc = time.ctime(ts_sec)
-        if ts_sec < now - 12 * 3600:
+        acceptable_drift = 10
+        if ts_sec < now - 5 * 60 - acceptable_drift:
             return (ERR_OK,
-                    "WARNING: Tree head timestamp too old: {} ({})".format(ts_sec, ts_asc))
-        if ts_sec > now + 12 * 3600:
+                    "WARNING: Tree head timestamp older than five minutes: {} ({})".format(ts_sec, ts_asc))
+        if ts_sec > now + acceptable_drift:
             return (ERR_OK,
-                    "WARNING: Tree head timestamp too new: {} ({})".format(ts_sec, ts_asc))
+                    "WARNING: Tree head timestamp from the future: {} ({})".format(ts_sec, ts_asc))
 
     def history_valid(self, prev):
         if self.tree_size < prev.tree_size: