17 Jun
2025
17 Jun
'25
9:44 a.m.
Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
Nice!
A few comments after a first quick look.
Verification usually deals with public values only. So not sure what your threat model is, but I suspect that using constantTimeBufferEqual is overkill (in crypto.ts, verifyInclusionProof).
Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary?
Regards, /Niels