On Mon, May 05, 2025 at 11:37:05AM +0300, Sigsum-general wrote:
Hi all,
On 25/03/2025 18:38, Rasmus Dahlberg via Sigsum-general wrote:
I couldn't help to notice
https://github.com/freedomofpress/webcat/blob/main/extension/src/sigsum/sigs...
when doing a brief look around. A Merkle tree is not always balanced. If you want some inclusion-proof verification pointers, take a look at:
https://gitlab.torproject.org/rgdd/ct/-/blob/main/doc/tlog-algorithms.md?ref...
I wish I could also point you to some generally useful test vectors for Merkle trees and Sigsum. This is unfortunately deep down in our backlog.
Thanks for pointing that :) I rushed the PoC to graduate, but if we end up using Sigsum in prod, then I'd spend significant amount of time in making that a decent library, and I could help back with the test suite. We could take some inspiration from [1] and [2] and build something that is implementation-agnostic.
I started on implementation-agnostic Merkle tree test vectors here a long while ago (basically porting test vectors I only had in Go):
https://github.com/rgdd/CCTV/tree/merkle/merkle
Agree it would be great to also have implementation-agnostic test vectors for Sigsum. Any help in this space is much appreaciated!
Are you by any chance aware of Michael Rosenberg's
https://docs.google.com/document/d/15PaxeWcRNTvjZzrwI1JpUKqooyMv6kmK12H51v9i...
work on web app transparency? I stumbled across the above as part of a c2sp.org spec discussions today, and I would be interested in a diff!
We met at RWC and are discussing the proposals and see how to converge! I think neither is definitive right now, and there's a lot to work on.
Splendid!
Let us know if there's anything in particular you wish to get input on. So far I've only scratched the surface of your and Michael's links.
Let us know when the thesis is available, I'd like to check it out!
The full text is now at [3]. I hope I didn't do a bad job at describing Sigsum, but I'm obviously open to feedback for future revisions.
Many thanks, adding it to my read queue. :)
-Rasmus
Cheers Giulio
[1] - https://github.com/sigstore/sigstore-conformance [2] - https://github.com/theupdateframework/tuf-conformance [3] - https://eprint.iacr.org/2025/797 _______________________________________________ Sigsum-general mailing list -- sigsum-general@lists.sigsum.org To unsubscribe send an email to sigsum-general-leave@lists.sigsum.org