# Claimant model ## **System^CHECKSUM** System^CHECKSUM is about the claims made by a data publisher. * **Claim^CHECKSUM**: _I, data publisher, claim that the data_: 1. has cryptographic hash X 2. is produced by no-one but myself * **Statement^CHECKSUM**: signed checksum
* **Claimant^CHECKSUM**: data publisher
The data publisher is a party that wants to publish some data. * **Believer^CHECKSUM**: end-user
The end-user is a party that wants to use some published data. * **Verifier^CHECKSUM**: data publisher
Only the data publisher can verify the above claims. * **Arbiter^CHECKSUM**:
There's no official body. Invalidated claims would affect reputation. System^CHECKSUM\* can be defined to make more specific claims. Below is a reproducible builds example. ### **System^CHECKSUM-RB**: System^CHECKSUM-RB is about the claims made by a _software publisher_ that makes reproducible builds available. * **Claim^CHECKSUM-RB**: _I, software publisher, claim that the data_: 1. has cryptographic hash X 2. is the output of a reproducible build for which the source can be located using X as an identifier * **Statement^CHECKSUM-RB**: Statement^CHECKSUM * **Claimant^CHECKSUM-RB**: software publisher
The software publisher is a party that wants to publish the output of a reproducible build. * **Believer^CHECKSUM-RB**: end-user
The end-user is a party that wants to run an executable binary that built reproducibly. * **Verifier^CHECKSUM-RB**: any interested party
These parties try to verify the above claims. For example: * the software publisher itself (_"has my identity been compromised?"_) * rebuilders that check for locatability and reproducibility * **Arbiter^CHECKSUM-RB**:
There's no official body. Invalidated claims would affect reputation. ## **System^CHECKSUM-LOG**: System^CHECKSUM-LOG is about the claims made by a _log operator_. It adds _discoverability_ into System^CHECKSUM\*. Discoverability means that Verifier^CHECKSUM\* can see all Statement^CHECKSUM that Believer^CHECKSUM\* accept. * **Claim^CHECKSUM-LOG**: _I, log operator, make available:_ 1. a globally consistent append-only log of Statement^CHECKSUM * **Statement^CHECKSUM-LOG**: signed tree head * **Claimant^CHECKSUM-LOG**: log operator
Possible operators might be: * a small subset of data publishers * members of relevant consortia * **Believer^CHECKSUM-LOG**: * Believer^CHECKSUM\* * Verifier^CHECKSUM\*
* **Verifier^CHECKSUM-LOG**: third parties
These parties verify the above claims. Examples include: * members of relevant consortia * non-profits and other reputable organizations * security enthusiasts and researchers * log operators (cross-ecosystem) * monitors (cross-ecosystem) * a small subset of data publishers (cross-ecosystem) * **Arbiter^CHECKSUM-LOG**:
There is no official body. The ecosystem at large should stop using an instance of System^CHECKSUM-LOG if cryptographic proofs of log misbehavior are preseneted by some Verifier^CHECKSUM-LOG.