> so where is the latest key stored so that after a system has
> rebooted you can validate that the entire file hasn't been
> replaced by one from another system?
aiui, the verification key can calculate the keys at any given point in time. so the old key isn't needed, just the log and the verification key (which is kept elsewhere).
because the attacker can't calculate the keys from the past, they can't forge a validating log file that covers the past. they can delete it, or forge messages after the compromise, but can't go back in time.