Today we are launching Sigsum, a free and open source software project
that revolves around transparency logs and their applications.
While most other logging efforts focus on concrete data structures like
TLS certificates, sigsum logs are meant to be general building blocks
that support signed checksums and minimally required metadata. It is up
to the signer to determine what a checksum should represent.
For example, Mozilla's take on Binary Transparency  fits into the
intended use of sigsum logging. By avoiding the Certificate
Transparency design, complexity can be reduced. Sigsum logging has no
SCTs, complicated ASN.1 parsers, or reactive gossip-audit protocols.
Minimalism, distributed trust, and centralized log operations make up
our key pillars. These characteristics keep the attack surface small.
They also simplify usage, operations, and verification of sigsum logs.
To learn more about sigsum logging, please refer to our design and API
documentation [2, 3]. There is also a public prototype available .
Would you like to be part of the conversation? We have open Jitsi
meetings on Tuesdays at 11:00 UTC. Meeting minutes and linked pads are
persisted in our archive for transparency and future reference .
Asynchronous interactions take place on IRC, Matrix, and email.
IRC: #sigsum @ OFTC.net
Sigsum started out as one part of the System Transparency project .
Early drafts of the public log element can be traced back to 2019 .
More focused design iterations started in October, 2020 . Mature
drafts of what is now sigsum logging was presented in Q2 of 2021 [9-11].