17 Jun
2025
17 Jun
'25
11:44 a.m.
Giulio via Sigsum-general <sigsum-general@lists.sigsum.org> writes:
as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
Nice! A few comments after a first quick look. Verification usually deals with public values only. So not sure what your threat model is, but I suspect that using constantTimeBufferEqual is overkill (in crypto.ts, verifyInclusionProof). Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary? Regards, /Niels