From 4ef60084222c7d14bde9032d74ff5d02bcc3e32d Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Tue, 22 Jun 2021 23:35:42 +0200 Subject: moved documentation to sigsum/sigsum repository --- doc/claimant.md | 71 --------------------------------------------------------- 1 file changed, 71 deletions(-) delete mode 100644 doc/claimant.md (limited to 'doc/claimant.md') diff --git a/doc/claimant.md b/doc/claimant.md deleted file mode 100644 index 6728fef..0000000 --- a/doc/claimant.md +++ /dev/null @@ -1,71 +0,0 @@ -# Claimant model -## **SystemCHECKSUM** -SystemCHECKSUM is about the claims made by a data publisher. -* **ClaimCHECKSUM**: - _I, data publisher, claim that the data_: - 1. has cryptographic hash X - 2. is produced by no-one but myself -* **StatementCHECKSUM**: signed checksum
-* **ClaimantCHECKSUM**: data publisher
- The data publisher is a party that wants to publish some data. -* **BelieverCHECKSUM**: end-user
- The end-user is a party that wants to use some published data. -* **VerifierCHECKSUM**: data publisher
- Only the data publisher can verify the above claims. -* **ArbiterCHECKSUM**:
- There's no official body. Invalidated claims would affect reputation. - -SystemCHECKSUM\* can be defined to make more specific claims. Below -is a reproducible builds example. - -### **SystemCHECKSUM-RB**: -SystemCHECKSUM-RB is about the claims made by a _software publisher_ -that makes reproducible builds available. -* **ClaimCHECKSUM-RB**: - _I, software publisher, claim that the data_: - 1. has cryptographic hash X - 2. is the output of a reproducible build for which the source can be located - using X as an identifier -* **StatementCHECKSUM-RB**: StatementCHECKSUM -* **ClaimantCHECKSUM-RB**: software publisher
- The software publisher is a party that wants to publish the output of a - reproducible build. -* **BelieverCHECKSUM-RB**: end-user
- The end-user is a party that wants to run an executable binary that built - reproducibly. -* **VerifierCHECKSUM-RB**: any interested party
- These parties try to verify the above claims. For example: - * the software publisher itself (_"has my identity been compromised?"_) - * rebuilders that check for locatability and reproducibility -* **ArbiterCHECKSUM-RB**:
- There's no official body. Invalidated claims would affect reputation. - -## **SystemCHECKSUM-LOG**: -SystemCHECKSUM-LOG is about the claims made by a _log operator_. -It adds _discoverability_ into SystemCHECKSUM\*. Discoverability -means that VerifierCHECKSUM\* can see all -StatementCHECKSUM that BelieverCHECKSUM\* accept. - -* **ClaimCHECKSUM-LOG**: - _I, log operator, make available:_ - 1. a globally consistent append-only log of StatementCHECKSUM -* **StatementCHECKSUM-LOG**: signed tree head -* **ClaimantCHECKSUM-LOG**: log operator
- Possible operators might be: - * a small subset of data publishers - * members of relevant consortia -* **BelieverCHECKSUM-LOG**: - * BelieverCHECKSUM\* - * VerifierCHECKSUM\*
-* **VerifierCHECKSUM-LOG**: third parties
- These parties verify the above claims. Examples include: - * members of relevant consortia - * non-profits and other reputable organizations - * security enthusiasts and researchers - * log operators (cross-ecosystem) - * monitors (cross-ecosystem) - * a small subset of data publishers (cross-ecosystem) -* **ArbiterCHECKSUM-LOG**:
- There is no official body. The ecosystem at large should stop using an - instance of SystemCHECKSUM-LOG if cryptographic proofs of log - misbehavior are preseneted by some VerifierCHECKSUM-LOG. -- cgit v1.2.3