diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-10 20:00:51 +0200 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-10 20:08:14 +0200 |
commit | 8211f0ecdf8a65584d34ee177616dda80ebcab17 (patch) | |
tree | 7d966cff206b2422f0e27655ca8e4e9032bc05df /doc | |
parent | 05548e4e289890f318d93b90cb47730c45acc210 (diff) |
reworked partial enforcement of verification criteria
- Expanded into two separate examples
- Moved it into the verification subsection
Diffstat (limited to 'doc')
-rw-r--r-- | doc/design.md | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/doc/design.md b/doc/design.md index 9df24f0..22ceb1d 100644 --- a/doc/design.md +++ b/doc/design.md @@ -284,21 +284,22 @@ using a variant of witness cosigning. A verifier cannot be tricked into accepting data whose checksum have not been publicly logged unless the attacker controls more than a threshold of witnesses. +In a less ideal world sigsum logging can facilitate detection of attacks if a +verifier _fails open_ by enforcing the second and third criteria partially. For +example, some verifier may not enforce these criteria at all, and so would +accept data from a malicious data mirror without proofs of public logging. +Someone in a similar area may be able to detect this and report the attack. + +Another example of partial enforcement would be if a verifier required logging +in a known log without witnessing. Attacks against the signer's signing and +release infrastructure would be detected if the log is not compromised. + #### 3.2.6 - Monitoring An often overlooked step is that transparency logging falls short if no-one keeps track of what appears in the public logs. Monitoring is necessarily use-case specific in sigsum. At a minimum, a monitor needs to locate relevant public keys. It may also need to be aware of how to locate the data that a given checksum represents. -It should also be noted that sigsum logging can facilitate detection of attacks -even if a verifier fails open by enforcing the third and fourth criteria partially -in Section 3.2.5. For example, the fact that a distribution mechanism does not -serve proofs of public logging could indicate that there is an ongoing attack -against a signer's distributed infrastructure. A monitor may detect that. - -[["fails open" needs an explanation /ln]] -[["by enforcing the third and fourth criteria partially in Section 3.2.5" needs a little more context -- partially how? /ln]] - ### 3.3 - Summary [[move the summary to the top of section 3? /ln]] Sigsum logs are sharded and shut down at predefined times. A sigsum log can |