Rasmus Dahlberg rgdd@glasklarteknik.se writes:
On Thu, Nov 17, 2022 at 03:21:12PM +0100, Sigsum General wrote:
More concisely: An isolated cosignature (without history) does not make a claim about the state of the log, it makes a claim about the state of the witness.
Does that make sense?
I disagree that there's no claim about the log's state. I agree that the central part is what (local append-only state) the witness is in.
I think my argument is that a *pair* of cosignatures makes a claim about log state: It says that all leaves in the tree corresponding to the smaller cosigned tree are still present in the larger cosigned tree. Since the witness has either verified a consistency proof directly connecting the two trees, or a chain of such consistency proofs via some other tree heads that it has cosigned.
But a *single* cosignature doesn't: if there's no additional evidence, the verifier has to assume that this is the witness' very first cosignature.
I think I'd also like to argue that history of the log is not that interesting to a verifier about to decide whether or not to accept a logged signature. What's relevant is to establish that the signature of interest is observed by the witness, and hence, that future attempts by the log to erase it from history will be noticed.
To me, there appears to be an important link between witnesses and monitors. Consider the attack case, that an unauthorised signature is added to the log (e.g., to accompany a doctored software update). That can be detected, if the signature appears on the *monitor*'s view of the log. Does the witness cosignature imply that the signature will be observed also by the monitor? That seems a bit subtle, but I think it should, *if* the client and the monitor share witnesses. And on the other hand, in the somewhat pathologic case client and monitor trust disjoint sets of witnesses, there's no connection, and the log could let the two sets of witnesses see completely different trees, with no one noticing.
BTW, this might add an interesting requirement for log-witness protocol. It will make it harder for the log to sustain a split view if in the protocol, it has to commit to a tree head, *before* learning the identity of the witness asking for it. So it's desirable to enable the witness to be anonymous to the log up to the point where it provides a cosignature and reveals its key hash.
Regards, /Niels