Hi all,
In WEBCAT we're adding support for multiple signatures over the same artifact (a manifest). How we log that depends on the monitoring story.
One (probably not great) option would be to sign the artifact once with a known key (which one, though?) and log that artifact that includes the N signatures once in Sigsum. The downside is that the Sigsum leaf would then be discoverable only via the submitting key, not by the individual signer keys.
If we want per-key transparency, we should instead submit each signature over the artifact to Sigsum and get a proof for each. That seems best for monitoring and seems to be the least hacky design.
Assuming all signatures (and proofs) need to adhere to the same trust policy, there's a lot of duplication when gathering individual proofs. My understanding is that we can wait until all leaves are included in the same tree, collect a single cosigned tree head (STH), and verify the log signature and cosignatures once. Each leaf will have its own inclusion path, but many hashes will overlap. This reduces verification work (one STH validation instead of N) and total size on the wire.
Does this usage make sense? For a first step, I'd like to just fetch per-leaf proofs for the same tree size so I can reuse the same STH, without trying to merge paths yet. If that sounds reasonable, is this a mode of operation Sigsum would be interested in supporting in the client (i.e., worth a PR), or should I implement it on top using the log APIs directly?
Thanks! Giulio