|
|
Log in / Subscribe / Register

Transparency

Transparency

Posted Mar 12, 2021 22:52 UTC (Fri) by Jan_Zerebecki (guest, #70319)
In reply to: Transparency by tialaramex
Parent article: The Linux Foundation's "sigstore" project

> And CT isn't even really finished. A sufficiently powerful and nefarious actor could pervert things pretty badly, and the features mooted to prevent that mechnically ("Gossip" protocols and consistency proof checking) are not in fact deployed.

Yes, Trillian AKA CT (which sigstore uses as a dependency) explicitly mentions that it does not yet protect against split view attacks, where an attacker completely simulates a log with different content just for you.

> But in the space sigstore wants to occupy [...] this technology doesn't do what you need in that circumstance at all.

Do you have any suggestions for technology that would be better? I'd have use for a way to detect when others see e.g. the content of Linux 5.11.0 as different than what I see.

to post comments

Transparency

Posted Mar 13, 2021 4:13 UTC (Sat) by pabs (subscriber, #43278) [Link]

These DebConf talks introduce a gossip hub, which IIRC is meant to attempt to prevent split view attacks:

https://debconf18.debconf.org/talks/104-software-transpar...
https://debconf19.debconf.org/talks/66-software-transpare...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds