Niels Möller via Sigsum-general sigsum-general@lists.sigsum.org writes:
this is a question that I hope is convered in the literature on transparency logs, but what meaning do we assign to a single, isolated, cosignature?
I've pondered this question a bit more. And in the mean time, we have also changed the sigsum cosignatures to include a timestamp. For a start, I think it makes things clearer to think about the cosignature as the signature on a tree (rather than, as a signature on a published tree head), i.e., think about it as a signature on a set of leaves; that its a signature on a merkle tree root hash is an implementation detail.
In the current protocol, the cosignature covers the log's key hash (KH) (acting as the identity of a log), a root hash (TREE), and a timestamp (T). I think it can be understood as the witness making the following three claims:
1. I have observed TREE published by KH.
2. As of time T, it's the most recent publication I've seen from KH.
3. TREE includes all leaves from KH that I have ever cosigned.
For a proof verifier, claim (1) is the interesting one, since it's proof of logging in a known (and usually public) log. The benefit of this to the verifier is indirect, thanks to other actors in the sigsum system.
Claim (3) is related to monitoring, since it implies that when a monitor retrieves all leaves of TREE, it gets everything the witness has cosigned.
The relevance of claim (2) is a bit fuzzy to me, but it is related to the monitor's need to have a fresh view of the log.
From this view, the append-only property, and the witness' use of consistency proofs, is merely a means to make it practical and efficient for the witness to make claim (3). But it would in principle work just as fine if the witness signs and makes available the signed leaf sets by any other means.
I tink it's just confusing to think that the witness make some claim about the log being append-only or consistent. The witness makes a claim about an observation of a published tree, and a claim about that tree's relation to other trees that the witness itself has cosigned previously.
Regards, /Niels