diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-12 17:43:03 +0200 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-12 17:43:03 +0200 |
commit | 8c10d09289289ddbc349503dac4b0493bf73b2b3 (patch) | |
tree | 4d64c2f28b9dc77fbbafc2d80bd79babcc9ef31a | |
parent | 34746cefa42bb7d4fd1b3d8bace285bd393db7d5 (diff) |
removed comments about partial enforcement
To be re-added at a later time somewhere else. It is not helpful for a
reader that is trying to understand the basic design for the first time.
Spotted by ln5.
-rw-r--r-- | doc/design.md | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/doc/design.md b/doc/design.md index 821ba88..e1f3b5e 100644 --- a/doc/design.md +++ b/doc/design.md @@ -294,16 +294,6 @@ logs have trustworthy tree heads thanks to using a variant of witness cosigning. A verifier cannot be tricked into accepting data whose checksum have not been publicly logged unless the attacker controls more than a threshold of witnesses. -In a less ideal world sigsum logging can facilitate detection of attacks if a -verifier _fails open_ by enforcing the second and third criteria partially. For -example, some verifier may not enforce these criteria at all, and so would -accept data from a malicious data mirror without proofs of public logging. -Someone in a similar area may be able to detect this and report the attack. - -Another example of partial enforcement would be if a verifier required logging -in a known log without witnessing. Attacks against the signer's signing and -release infrastructure would be detected if the log is not compromised. - #### 3.2.6 - Monitoring An often overlooked step is that transparency logging falls short if no-one keeps track of what appears in the public logs. Monitoring is necessarily |