noted that verified timestamps have more use-cases

A believer can be convinced that a sigsum was logged after time T.  This
is because witnesses do Verifier(append-only) and Verifier(Freshness).

Outline: a claimant is about to log a sigsum.

1. Fetch the most recent cosigned tree head.
    - Timestamp is T
    - Tree size is N
2. Submit sigsum for logging.
3. Wait for inclusion at index N+k, k=>0.
4. Wait for next cosigned tree head.
    - Timestamp is T', where T' > T
    - Tree size is N', where N' > N+k
5. Download inclusion proof for tree size N'.

Now you can convince a believer that a sigsum is publicly logged.  Just
reveal inclusion proof which leads up to the second cosigned tree head.

Next, you can reveal the first cosigned tree head that _have not merged
that entry yet_.  This follows from the first cosigned tree head size,
and makes it obvious that the entry must have been merge after time T.

1 files changed, 4 insertions, 2 deletions

diff --git a/doc/api.md b/doc/api.md
index ea5a2a0..3f3db55 100644
--- a/doc/api.md
+++ b/doc/api.md
@@ -78,7 +78,9 @@ struct tree_head {
 ```
 `timestamp` is the time since the UNIX epoch (January 1, 1970 00:00 UTC) in
 seconds.  It is included so that monitors can be convinced of _freshness_ if
-enough witnesses added their cosignatures, see below.
+enough witnesses added their cosignatures.  A claimant may also use timestamps
+to prove to a believer that some logged data is current.  See timestamp
+verification in Section 2.3.2.
 
 `tree_size` is the number of leaves in a log.
 
@@ -207,7 +209,7 @@ Output on success:
 ### 3.3 - get-tree-head-cosigned
 Returns the latest cosigned tree head. Used together with `get-inclusion-proof`
 and `get-consistency-proof`.  Ensures that verifiers see the same statements as
-believers.
+believers.  May also be used to convince a believer about when logging happened.
 
 ```
 GET <base url>/sigsum/v0/get-tree-head-cosigned