From 8c10d09289289ddbc349503dac4b0493bf73b2b3 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Tue, 12 Oct 2021 17:43:03 +0200 Subject: removed comments about partial enforcement To be re-added at a later time somewhere else. It is not helpful for a reader that is trying to understand the basic design for the first time. Spotted by ln5. --- doc/design.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/doc/design.md b/doc/design.md index 821ba88..e1f3b5e 100644 --- a/doc/design.md +++ b/doc/design.md @@ -294,16 +294,6 @@ logs have trustworthy tree heads thanks to using a variant of witness cosigning. A verifier cannot be tricked into accepting data whose checksum have not been publicly logged unless the attacker controls more than a threshold of witnesses. -In a less ideal world sigsum logging can facilitate detection of attacks if a -verifier _fails open_ by enforcing the second and third criteria partially. For -example, some verifier may not enforce these criteria at all, and so would -accept data from a malicious data mirror without proofs of public logging. -Someone in a similar area may be able to detect this and report the attack. - -Another example of partial enforcement would be if a verifier required logging -in a known log without witnessing. Attacks against the signer's signing and -release infrastructure would be detected if the log is not compromised. - #### 3.2.6 - Monitoring An often overlooked step is that transparency logging falls short if no-one keeps track of what appears in the public logs. Monitoring is necessarily -- cgit v1.2.3