aboutsummaryrefslogtreecommitdiff
path: root/doc/claimant.md
blob: 2aeebf0910f9e38e2d576cfd6d39d1c159cdc53a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Claimant model
## **System<sup>CHECKSUM</sup>**:
System<sup>CHECKSUM</sup> is about the claims made by a _data publisher_.
* **Claim<sup>CHECKSUM</sup>**:
	_I, data publisher, claim that the data_:
	1. has cryptographic hash X
	2. can be located using X as an identifier
	3. has properties Y (_"ecosystem specific_")
* **Statement<sup>CHECKSUM</sup>**: signed checksum<br>
* **Claimant<sup>CHECKSUM</sup>**: data publisher<br>
	The data publisher is a party that wants to publish some data to an
	end-user.
* **Believer<sup>CHECKSUM</sup>**: end-user<br>
	Belief is based on seeing a valid Statement<sup>CHECKSUM</sup>.
* **Verifier<sup>CHECKSUM</sup>**: any interested party<br>
	These parties try to verify the above claims.  For example:
	* the data publisher itself (_"has my identity been compromised?"_)
	* third-parties that want to look further into the data (_"ecosystem
	specific_")
* **Arbiter<sup>CHECKSUM</sup>**:<br>
    There's no official body.  Invalidated claims would affect reputation.

**Example.**
The published data could be an executable binary from a reproducible build.  The
ecosystem-specific claim would be that the corresponding source code can be
looked-up in a public database using X as an identifier.  A rebuilder would
verify this claim by compiling the source, comparing the hashed output to the
claimed value.

## **System<sup>CHECKSUM-LOG<sup>**:
System<sup>CHECKSUM-LOG</sup> is about the claims made by a _log operator_.
It adds _discoverability_ into System<sup>CHECKSUM</sup>.  Discoverability means
that Verifier<sup>CHECKSUM</sup> can see all Statement<sup>CHECKSUM</sup> that
Believer<sup>CHECKSUM</sup> will accept.

* **Claim<sup>CHECKSUM-LOG</sup>**:
	_I, log operator, make available:_
	1. a globally consistent append-only log of Statement<sup>CHECKSUM</sup>
* **Statement<sup>CHECKSUM-LOG</sup>**: signed tree head
* **Claimant<sup>CHECKSUM-LOG</sup>**: log operator<br>
   Possible operators might be:
	* a small subset of data publishers
	* members of relevant consortia
* **Believer<sup>CHECKSUM-LOG</sup>**:
		Believer<sup>CHECKSUM</sup> and
		Verifier<sup>CHECKSUM</sup><br>
	Belief is based on two factors:
	1. seeing a valid Statement<sup>CHECKSUM-LOG</sup>
	2. seeing a number of valid Statement<sup>CHECKSUM-WITNESS</sup> from
	independent instances on System<sup>CHECKSUM-WITNESS</sup>
	
	A _policy_ defines the exact conditions that must be met.
* **Verifier<sup>CHECKSUM-LOG</sup>**: System<sup>CHECKSUM-WITNESS</sup><br>
	Witnesses verify the log's append-only property from their own local
	vantage point(s).
* **Arbiter<sup>CHECKSUM-LOG</sup>**:<br>
	There is no official body.  The ecosystem at large should stop using an
	instance of System<sup>CHECKSUM-LOG</sup> if cryptographic proofs of log
	misbehavior are preseneted by some Verifier<sup>CHECKSUM-LOG</sup>.

## **System<sup>CHECKSUM-WITNESS<sup>**:
System<sup>CHECKSUM-WITNESS</sup> is about making the claims of a log operator
_trustworthy_.
* **Claim<sup>CHECKSUM-WITNESS</sup>**:
	_I, witness, claim that_:
	1. System<sup>CHECKSUM-LOG</sup> provides a locally consistent append-only
	log
* **Statement<sup>CHECKSUM-WITNESS</sup>**: signed tree head
* **Claimant<sup>CHECKSUM-WITNESS</sup>**: third party<br>
	Examples of parties that may take on this role include:
	* members of relevant consortia
	* non-profits and other reputable organizations
	* security enthusiasts and researchers
	* log operators (cross-ecosystem)
	* monitors (cross-ecosystem)
	* a small subset of data publishers (cross-ecosystem)
* **Believer<sup>CHECKSUM-WITNESS</sup>**:
		Believer<sup>CHECKSUM</sup> and
		Verifier<sup>CHECKSUM</sup><br>
	Belief is based on seeing a valid Statement<sup>CHECKSUM-WITNESS</sup>.
* **Verifier<sup>CHECKSUM-WITNESS</sup>**: n/a <br>
	Witnesses are trusted parties.  Security is based on _strength in numbers_.
* **Arbiter<sup>CHECKSUM-WITNESS</sup>**:<br>
	There is no official body.  Invalidated claims would affect reputation.