Introducing Sigsum: Transparency logging of signed checksums
Fredrik Strömberg
stromberg at mullvad.net
Thu Oct 14 15:49:31 UTC 2021
Hi everyone,
I promised earlier this year to keep this list updated with major
milestones related to the System Transparency project.
ST's main goal is to increase infrastructure transparency and
trustworthiness. One of the technologies it relies on is transparency
logging. It brings me great joy to say that after a year of design
iterations we have not only designed a transparency log but also
decided to turn it into a project of its own. See link and attached
email below.
https://lists.sigsum.org/sigsum-general/msg00001.html
At this point we would love community feedback on the design. Once we
feel confident enough for a v1 API, we plan to operate a sigsum log
and a cosigning witness as a public good - and find others to do the
same.
We would be grateful for your feedback. Especially as we believe
transparency logging is very useful for reproducible builds.
Cheers,
Fredrik Strömberg
---------- Forwarded message ---------
From: Rasmus Dahlberg <rasmus at mullvad.net>
Date: Wed, Oct 13, 2021 at 6:12 PM
Subject: [sigsum-general] Sigsum project launch
To: <sigsum-general at lists.sigsum.org>
Hi everyone,
Today we are launching Sigsum, a free and open source software project
that revolves around transparency logs and their applications.
While most other logging efforts focus on concrete data structures like
TLS certificates, sigsum logs are meant to be general building blocks
that support signed checksums and minimally required metadata. It is up
to the signer to determine what a checksum should represent.
For example, Mozilla's take on Binary Transparency [1] fits into the
intended use of sigsum logging. By avoiding the Certificate
Transparency design, complexity can be reduced. Sigsum logging has no
SCTs, complicated ASN.1 parsers, or reactive gossip-audit protocols.
Minimalism, distributed trust, and centralized log operations make up
our key pillars. These characteristics keep the attack surface small.
They also simplify usage, operations, and verification of sigsum logs.
To learn more about sigsum logging, please refer to our design and API
documentation [2, 3]. There is also a public prototype available [4].
Would you like to be part of the conversation? We have open Jitsi
meetings on Tuesdays at 11:00 UTC. Meeting minutes and linked pads are
persisted in our archive for transparency and future reference [5].
Asynchronous interactions take place on IRC, Matrix, and email.
Website: https://www.sigsum.org/
Source: https://git.sigsum.org/
Pads: https://pad.sigsum.org/
Email: https://lists.sigsum.org/
IRC: #sigsum @ OFTC.net
Matrix: #sigsum:matrix.org
Jitsi: https://meet.sigsum.org/
About Sigsum
---
Sigsum started out as one part of the System Transparency project [6].
Early drafts of the public log element can be traced back to 2019 [7].
More focused design iterations started in October, 2020 [8]. Mature
drafts of what is now sigsum logging was presented in Q2 of 2021 [9-11].
Links
---
1: https://wiki.mozilla.org/Security/Binary_Transparency
2: https://git.sigsum.org/sigsum/tree/doc/design.md
3: https://git.sigsum.org/sigsum/tree/doc/api.md
4: https://git.sigsum.org/sigsum-log-go/tree/README.md
5: https://git.sigsum.org/sigsum/tree/archive
6: https://git.sigsum.org/sigsum/tree/doc/history.md
7: https://mullvad.net/blog/2019/6/3/system-transparency-future/
8: https://github.com/system-transparency/stfe/commit/40250377da81864e9e502b803c0543c48e4a0615
9: https://web.archive.org/web/20210427203606/https://hopin.com/events/padsec
10: https://web.archive.org/web/20210603112144/https://swits.hotell.kau.se/AnnualSeminars/SWITS%202021/SWITS_2021/SWITS2021_Programme.htm
11: https://web.archive.org/web/20210923134324/https://swits.hotell.kau.se/AnnualSeminars/SWITS%202021/SWITS_2021/SWITS_2021_paper_17.pdf
More information about the rb-general
mailing list