From 72a7c79e55120b05aef7a8b356ee273984c7f1ce Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Thu, 7 Oct 2021 18:39:59 +0200 Subject: removed unnecessary sentence in threat model --- doc/.design.md.swp | Bin 0 -> 36864 bytes doc/design.md | 7 +++---- 2 files changed, 3 insertions(+), 4 deletions(-) create mode 100644 doc/.design.md.swp (limited to 'doc') diff --git a/doc/.design.md.swp b/doc/.design.md.swp new file mode 100644 index 0000000..8d9f93a Binary files /dev/null and b/doc/.design.md.swp differ diff --git a/doc/design.md b/doc/design.md index b177f85..57bc919 100644 --- a/doc/design.md +++ b/doc/design.md @@ -130,10 +130,9 @@ Transparency Log [\[DigiCert\]](https://groups.google.com/a/chromium.org/g/ct-policy/c/aKNbZuJzwfM). The overall system is said to be secure if a monitor can discover every signed -checksum that a verifier would accept, or alternatively, if log misbehavior can -be detected. A log can misbehave by not presenting the same append-only Merkle -tree to everyone. A log operator would only do that if it is likely to go -unnoticed. +checksum that a verifier would accept. A log can misbehave by not presenting +the same append-only Merkle tree to everyone because it is attacker-controlled. +However, a log operator would only do that if it is likely to go unnoticed. For security we need a collision resistant hash function and an unforgeable signature scheme. We also assume that at most a threshold of independent -- cgit v1.2.3