Niels Möller via Sigsum-general sigsum-general@lists.sigsum.org writes:
But a *single* cosignature doesn't: if there's no additional evidence, the verifier has to assume that this is the witness' very first cosignature.
I think I'd also like to argue that history of the log is not that interesting to a verifier about to decide whether or not to accept a logged signature. What's relevant is to establish that the signature of interest is observed by the witness, and hence, that future attempts by the log to erase it from history will be noticed.
Let me try to wrap this up, after pondering the question for some more time. I'm approaching the question from the point of view of a client verifier about to decide whether to accept an update (or some other requested action) based on a "sigsum proof", including a relevant logged checksum, an inclusion proof binding it to some tree head, and cosignatures on that tree head.
I think I stand by "history of the log is not that interesting". Maybe a better angle is to say that the point of the cosignature is to evidence that the supposedly public log actually has published the item, in a way that is hard to "un-publish".
So the cosignature means that the item has been inserted into the sigsum machinery, promising that if other sigsum participants (in particular monitors and selected witnesses) act honestly and reliably, then an unauthorized signature will be detected in a timely manner. Which is a lot more complex than trying to understand the signature as the witness making a meaningful statement about the log's state.
Regards, /Niels