Hi, thanks for the quick feedback!
On 17/06/2025 11:44, Niels Möller via Sigsum-general wrote:
Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
Nice!
A few comments after a first quick look.
Verification usually deals with public values only. So not sure what your threat model is, but I suspect that using constantTimeBufferEqual is overkill (in crypto.ts, verifyInclusionProof).
I think you are right, will update before a first release :)
Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary?
It seemed more efficient, but I did not do any measurement, though I'll need to run the verifier in real time while a user is waiting a website to load. Do you think there's reasons not to do it, or that on the average it is likely more expensive to do the extra check every loop?
Cheers, Giulio