aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/design.md19
1 files changed, 10 insertions, 9 deletions
diff --git a/doc/design.md b/doc/design.md
index 9df24f0..22ceb1d 100644
--- a/doc/design.md
+++ b/doc/design.md
@@ -284,21 +284,22 @@ using a variant of witness cosigning. A verifier cannot be
tricked into accepting data whose checksum have not been publicly logged
unless the attacker controls more than a threshold of witnesses.
+In a less ideal world sigsum logging can facilitate detection of attacks if a
+verifier _fails open_ by enforcing the second and third criteria partially. For
+example, some verifier may not enforce these criteria at all, and so would
+accept data from a malicious data mirror without proofs of public logging.
+Someone in a similar area may be able to detect this and report the attack.
+
+Another example of partial enforcement would be if a verifier required logging
+in a known log without witnessing. Attacks against the signer's signing and
+release infrastructure would be detected if the log is not compromised.
+
#### 3.2.6 - Monitoring
An often overlooked step is that transparency logging falls short if no-one keeps
track of what appears in the public logs. Monitoring is necessarily use-case
specific in sigsum. At a minimum, a monitor needs to locate relevant public keys. It
may also need to be aware of how to locate the data that a given checksum represents.
-It should also be noted that sigsum logging can facilitate detection of attacks
-even if a verifier fails open by enforcing the third and fourth criteria partially
-in Section 3.2.5. For example, the fact that a distribution mechanism does not
-serve proofs of public logging could indicate that there is an ongoing attack
-against a signer's distributed infrastructure. A monitor may detect that.
-
-[["fails open" needs an explanation /ln]]
-[["by enforcing the third and fourth criteria partially in Section 3.2.5" needs a little more context -- partially how? /ln]]
-
### 3.3 - Summary
[[move the summary to the top of section 3? /ln]]
Sigsum logs are sharded and shut down at predefined times. A sigsum log can