Hi Giulio,
Thanks for sharing, nice project! It's also fun to see in action that the Sigsum formats are relatively easy to work with in a web extension.
I couldn't help to notice
https://github.com/freedomofpress/webcat/blob/main/extension/src/sigsum/sigs...
when doing a brief look around. A Merkle tree is not always balanced. If you want some inclusion-proof verification pointers, take a look at:
https://gitlab.torproject.org/rgdd/ct/-/blob/main/doc/tlog-algorithms.md?ref...
I wish I could also point you to some generally useful test vectors for Merkle trees and Sigsum. This is unfortunately deep down in our backlog.
Are you by any chance aware of Michael Rosenberg's
https://docs.google.com/document/d/15PaxeWcRNTvjZzrwI1JpUKqooyMv6kmK12H51v9i...
work on web app transparency? I stumbled across the above as part of a c2sp.org spec discussions today, and I would be interested in a diff!
https://github.com/C2SP/C2SP/issues/115
Let us know if there's anything in particular you wish to get input on. So far I've only scratched the surface of your and Michael's links.
Let us know when the thesis is available, I'd like to check it out!
-Rasmus
On Fri, Mar 21, 2025 at 08:54:42AM +0200, Sigsum General wrote:
Hi all,
For my master's thesis, and as a way to showcase a solution to the long-standing problem of using web applications for cryptographic tasks in the browser, without having to rely on server trust, I've developed a system that integrates a few components:
- Sigsum is used to transparently build a list of authorized signers for
each domain that wants to participate in the system.
- Sigstore is used to sign executable web assets (JS, HTML, CSS, WASM)
using OIDC identities, with the authorization for a specific domain verified against the Sigsum-powered list.
The demo shows the system securing some of the most common self-hostable web apps, such as Jitsi, Element, and CryptPad.
There is currently some shared interest from the Tor Project in bringing similar functionality into TBB.
For a higher-level description, see [1], and for the project repository, see [2]. I’ll share my thesis at a later date, which will include additional insights and threat modeling for the whole system.
Cheers Giulio
[1] - https://securedrop.org/news/introducing-webcat-web-based-code-assurance-and-... [2] - https://github.com/freedomofpress/webcat _______________________________________________ Sigsum-general mailing list -- sigsum-general@lists.sigsum.org To unsubscribe send an email to sigsum-general-leave@lists.sigsum.org