diff options
| author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-02 00:40:25 +0200 |
|---|---|---|
| committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-10-02 00:54:13 +0200 |
| commit | 234736fa1db20629058af391e4bf9bf4010ecc26 (patch) | |
| tree | 67c33045ba5ab2ff38670d786c45e1b66d3732ce /doc | |
| parent | f64c1f24a3956be8547d5d98a0348fd7b49f6aa7 (diff) | |
updated claimant model examples
I think the claimant model is most helpful for us to describe the
different use-cases of a sigsum log. Let's focus on claimant models for
use-cases in this document, not claimant models for logs _as well_.
I kept R-B as an example because it is concrete, and fixed the long-due
updates that GeKo pointed out a while back about, e.g., "right data".
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/claimant.md | 88 |
1 files changed, 24 insertions, 64 deletions
diff --git a/doc/claimant.md b/doc/claimant.md index 6728fef..cfb6198 100644 --- a/doc/claimant.md +++ b/doc/claimant.md @@ -1,71 +1,31 @@ -# Claimant model -## **System<sup>CHECKSUM</sup>** -System<sup>CHECKSUM</sup> is about the claims made by a data publisher. -* **Claim<sup>CHECKSUM</sup>**: - _I, data publisher, claim that the data_: - 1. has cryptographic hash X - 2. is produced by no-one but myself -* **Statement<sup>CHECKSUM</sup>**: signed checksum<br> -* **Claimant<sup>CHECKSUM</sup>**: data publisher<br> - The data publisher is a party that wants to publish some data. -* **Believer<sup>CHECKSUM</sup>**: end-user<br> - The end-user is a party that wants to use some published data. -* **Verifier<sup>CHECKSUM</sup>**: data publisher<br> - Only the data publisher can verify the above claims. -* **Arbiter<sup>CHECKSUM</sup>**:<br> - There's no official body. Invalidated claims would affect reputation. +# Use-case specific claimant models +Sigsum logs can be used for a variety of use-cases. One way to describe your +use-case is with the + [claimant model](https://github.com/google/trillian/blob/master/docs/claimantmodel/CoreModel.md). +You will realize that verifiers must see the same signed statements as believers. +Sigsum solves that. -System<sup>CHECKSUM\*</sup> can be defined to make more specific claims. Below -is a reproducible builds example. +XXX: add more examples. -### **System<sup>CHECKSUM-RB</sup>**: -System<sup>CHECKSUM-RB</sup> is about the claims made by a _software publisher_ -that makes reproducible builds available. -* **Claim<sup>CHECKSUM-RB</sup>**: - _I, software publisher, claim that the data_: +## **System<sup>RB</sup>**: +System<sup>RB</sup> is about the claims made by a _software publisher_ that +makes reproducible builds available. +* **Claim<sup>RB</sup>**: + _I, software publisher, claim that the right opaque data_: 1. has cryptographic hash X - 2. is the output of a reproducible build for which the source can be located - using X as an identifier -* **Statement<sup>CHECKSUM-RB</sup>**: Statement<sup>CHECKSUM</sup> -* **Claimant<sup>CHECKSUM-RB</sup>**: software publisher<br> - The software publisher is a party that wants to publish the output of a - reproducible build. -* **Believer<sup>CHECKSUM-RB</sup>**: end-user<br> - The end-user is a party that wants to run an executable binary that built - reproducibly. -* **Verifier<sup>CHECKSUM-RB</sup>**: any interested party<br> + 2. is the output of a reproducible build for which the source and relevant + build-info information can be located in repository Y using X as an identifier +* **Statement<sup>RB</sup>**: Statement<sup>CHECKSUM</sup><br> + The signed statement encodes a cryptographic hash X. +* **Claimant<sup>RB</sup>**: software publisher<br> + The software publisher is a party that wants to publish a reproducible + build. +* **Believer<sup>RB</sup>**: end-user<br> + The end-user is a party that wants to run an executable binary if it + builds reproducibly. +* **Verifier<sup>RB</sup>**: any interested party<br> These parties try to verify the above claims. For example: * the software publisher itself (_"has my identity been compromised?"_) * rebuilders that check for locatability and reproducibility -* **Arbiter<sup>CHECKSUM-RB</sup>**:<br> +* **Arbiter<sup>RB</sup>**:<br> There's no official body. Invalidated claims would affect reputation. - -## **System<sup>CHECKSUM-LOG</sup>**: -System<sup>CHECKSUM-LOG</sup> is about the claims made by a _log operator_. -It adds _discoverability_ into System<sup>CHECKSUM\*</sup>. Discoverability -means that Verifier<sup>CHECKSUM\*</sup> can see all -Statement<sup>CHECKSUM</sup> that Believer<sup>CHECKSUM\*</sup> accept. - -* **Claim<sup>CHECKSUM-LOG</sup>**: - _I, log operator, make available:_ - 1. a globally consistent append-only log of Statement<sup>CHECKSUM</sup> -* **Statement<sup>CHECKSUM-LOG</sup>**: signed tree head -* **Claimant<sup>CHECKSUM-LOG</sup>**: log operator<br> - Possible operators might be: - * a small subset of data publishers - * members of relevant consortia -* **Believer<sup>CHECKSUM-LOG</sup>**: - * Believer<sup>CHECKSUM\*</sup> - * Verifier<sup>CHECKSUM\*</sup><br> -* **Verifier<sup>CHECKSUM-LOG</sup>**: third parties<br> - These parties verify the above claims. Examples include: - * members of relevant consortia - * non-profits and other reputable organizations - * security enthusiasts and researchers - * log operators (cross-ecosystem) - * monitors (cross-ecosystem) - * a small subset of data publishers (cross-ecosystem) -* **Arbiter<sup>CHECKSUM-LOG</sup>**:<br> - There is no official body. The ecosystem at large should stop using an - instance of System<sup>CHECKSUM-LOG</sup> if cryptographic proofs of log - misbehavior are preseneted by some Verifier<sup>CHECKSUM-LOG</sup>. |