From 8211f0ecdf8a65584d34ee177616dda80ebcab17 Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus.dahlberg@kau.se>
Date: Sun, 10 Oct 2021 20:00:51 +0200
Subject: reworked partial enforcement of verification criteria

- Expanded into two separate examples
- Moved it into the verification subsection
---
 doc/design.md | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

(limited to 'doc/design.md')

diff --git a/doc/design.md b/doc/design.md
index 9df24f0..22ceb1d 100644
--- a/doc/design.md
+++ b/doc/design.md
@@ -284,21 +284,22 @@ using a variant of witness cosigning.  A verifier cannot be
 tricked into accepting data whose checksum have not been publicly logged
 unless the attacker controls more than a threshold of witnesses.
 
+In a less ideal world sigsum logging can facilitate detection of attacks if a
+verifier _fails open_ by enforcing the second and third criteria partially.  For
+example, some verifier may not enforce these criteria at all, and so would
+accept data from a malicious data mirror without proofs of public logging.
+Someone in a similar area may be able to detect this and report the attack.
+
+Another example of partial enforcement would be if a verifier required logging
+in a known log without witnessing.  Attacks against the signer's signing and
+release infrastructure would be detected if the log is not compromised.
+
 #### 3.2.6 - Monitoring
 An often overlooked step is that transparency logging falls short if no-one keeps
 track of what appears in the public logs.  Monitoring is necessarily use-case
 specific in sigsum.  At a minimum, a monitor needs to locate relevant public keys.  It
 may also need to be aware of how to locate the data that a given checksum represents.
 
-It should also be noted that sigsum logging can facilitate detection of attacks
-even if a verifier fails open by enforcing the third and fourth criteria partially
-in Section 3.2.5.  For example, the fact that a distribution mechanism does not
-serve proofs of public logging could indicate that there is an ongoing attack
-against a signer's distributed infrastructure.  A monitor may detect that.
-
-[["fails open" needs an explanation /ln]]
-[["by enforcing the third and fourth criteria partially in Section 3.2.5" needs a little more context -- partially how? /ln]]
-
 ### 3.3 - Summary
 [[move the summary to the top of section 3? /ln]]
 Sigsum logs are sharded and shut down at predefined times.  A sigsum log can
-- 
cgit v1.2.3