aboutsummaryrefslogtreecommitdiff
path: root/doc/design.md
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-10-10 20:01:22 +0200
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-10-10 20:08:14 +0200
commitd1ea4e9a9940367cc5dfdaf0d9eab99d1a54eb8b (patch)
treec7a91b84918f024dad537b994772ab7131bca15a /doc/design.md
parentab7b2645e73bc0880960d8b1378bcc9a926acd1d (diff)
emphasized "attacker" instead of "log operator"
Diffstat (limited to 'doc/design.md')
-rw-r--r--doc/design.md4
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/design.md b/doc/design.md
index 9030091..40287a4 100644
--- a/doc/design.md
+++ b/doc/design.md
@@ -128,7 +128,7 @@ The overall system is said to be secure if a log monitor can discover every
signed checksum that a verifier would accept.
A log can misbehave by not presenting the same append-only Merkle tree to
everyone because it is attacker-controlled.
-However, a log operator would only do that if it is likely to go unnoticed.
+The attacker would only do that if it is likely to go unnoticed, however.
For security we need a collision resistant hash function and an unforgeable
signature scheme. We also assume that at most a threshold of independent
@@ -137,7 +137,7 @@ attempts
[split-view](https://datatracker.ietf.org/doc/html/draft-ietf-trans-gossip-05)
and
[slow-down](https://git.sigsum.org/sigsum/tree/archive/2021-08-24-checkpoint-timestamp)
-attacks. A log operator can at best deny service with these assumptions.
+attacks. An attacker can at best deny service with these assumptions.
## 3 - Design
An overview of sigsum logging is shown in Figure 1. Before going into detail