-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Friendlier intro/discussion for the Claimant Model #2980
base: master
Are you sure you want to change the base?
Conversation
|
||
The Claimant Model can be used to describe any system where an actor (`Believer`) performs some trusted action based on some | ||
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the | ||
Believer can not verify that the Claim is true, but believes it because they trust the Claimant. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see later you define the Verifier role, but would it be worth specifying what "verify the Claim" means here? This was something confusing initially, thinking that verifying = signature verification, not accuracy of the claim
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the | ||
Believer can not verify that the Claim is true, but believes it because they trust the Claimant. | ||
|
||
The situation above appears in countless settings in our everyday human lives. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you want to expand on this? Provide a non-technical example of a Believer and Claimant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added an example but I think I backed out of doing this in the first place because I could foresee the objection that an implicit unsigned claim isn't technically a claim according to the claimant model. This is valid, but hopefully the example still provides an onramp for people to relate to the model even if it isn't perfect.
I'm open to replacing this with other examples, or deleting entirely.
(`Claim`) is signed by the correct package maintainer (`Claimant`). | ||
|
||
Above we state that it must be possible to verify that the Claim is true. | ||
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a concrete example here, falsifying the TLS certificate claim?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm glad I left this for a day after returning from leave because I think yesterday I would have followed the easy path and written down that verifying the TLS chain was falsifying the claim. And it isn't. And this is the trap.
I've addressed this comment by writing a lot more text here that I think sows the seed. PTAL?
this factorization itself, but it can trivially multiply the factors together to confirm the result. | ||
- Believer will trust Claims from anyone: if the identity of the Claimant is not a factor in the Believer's decision to | ||
perform some action, then the Claimant Model provides little benefit. Such situtations are unfortunately | ||
still common, e.g. installing unsigned software/firmware. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either in this section or somewhere, is it worth explicitly stating that this expects that claims are present/discoverable in a transparency log? That's something that wasn't immediately obvious to me learning the model.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a TODO in the Verification section to continue the narrative there and introduce discoverability. Logs are a mechanism to achieve discoverability for verifiers, so that's the appropriate place to talk about logs IMO.
Does that address your comment, or is there some deeper connection with logs that you think that Claimant Model requires discussing?
compare this to a situation where every Claim is made in a publicly visible forum. | ||
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second | ||
case it would be discovered and a public investigation launched. | ||
This is the motivation for [transparency logs](https://transparency.dev). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part about the motivation of transparency might be useful higher up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand why you think that as the operator of a log. I have tried to stage this doc in a way that leads from the symptoms, to the underlying problem, and then on to the solution. Given that logs are the solution, it feels natural that they should appear later in the doc. Perhaps this is a fallacy though and the majority of readers will be familiar with the concept of logs and delaying introduction of them is unsatisfying.
I'll leave this comment open to reconsider the narrative structure. Perhaps instead of A-B-C-D this should be something more like A-c-B-C-D, i.e. tease the ending near the beginning but without going full https://en.wikipedia.org/wiki/Reverse_chronology.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've since added a TODO to consider adding something like this at the end of the Introduction section. WDYT?
|
||
The Claimant Model can be used to describe any system where an actor (`Believer`) performs some trusted action based on some | ||
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the | ||
Believer can not verify that the Claim is true, but believes it because they trust the Claimant. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false. | ||
We'll discuss _who_ can falsify Claims later. | ||
|
||
### Exceptions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether this section could be stripped out entirely. I think these are two examples of systems where transparency log would not really add anything. While it might seems clear to someone familiar with transparency ecosystems and logs, other people less familiar with these systems should realise this going through the exercise of writing the claimant model.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be stripped out, but it was added to set the idea for very eager people that there is a limit to where mapping to CM is useful. For example, I saw someone get overly excited about the claimant model and start to define asymmetric key usage using it. You can do it, but it makes things more complicated instead of reducing complexity.
|
||
## Trust | ||
|
||
Any ecosystem where the Claimant Model is [applicable](#applicability) has potential for exploit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get what you mean, but I find this quite negative. It seems like the Claimant model is incomplete, and allows for exploit, when in really it gives you the framework to think about these exploits.
How about something like "Claims made by the Claimant can be true of false. Since they are trusted by the Believers, a false Claim made under the identity of the Claimant would be believed by a Believer, and they would
perform some trusted action based on this false Claim.
The claimant model describes clarifies the relationship and incentives between Actors such that Believers can safely perform actions based on Claims."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm glad that this sentence was provocative. I think a little spice is required at points through long text to keep the interest and prompt alertness. That said, I don't want the takeaway from this to be "claimant model = bad".
I've added some more text here that I think turns this bold statement about exploitation into a motivation for using the claimant model instead of running away from it. PTAL?
I've referred to it as a book in a tongue-in-cheek way. It isn't intended to be as long as a book, but there are similarities in that it is intended to be read in order, and should favour accessibility over being absolutely technically correct from the offset.
b22afbe
to
61a52e6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great comments, thanks for the engagement. I'm feeling that this is still miles away from done, but hopefully the latest changes take it a step in the right direction.
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the | ||
Believer can not verify that the Claim is true, but believes it because they trust the Claimant. | ||
|
||
The situation above appears in countless settings in our everyday human lives. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added an example but I think I backed out of doing this in the first place because I could foresee the objection that an implicit unsigned claim isn't technically a claim according to the claimant model. This is valid, but hopefully the example still provides an onramp for people to relate to the model even if it isn't perfect.
I'm open to replacing this with other examples, or deleting entirely.
(`Claim`) is signed by the correct package maintainer (`Claimant`). | ||
|
||
Above we state that it must be possible to verify that the Claim is true. | ||
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm glad I left this for a day after returning from leave because I think yesterday I would have followed the easy path and written down that verifying the TLS chain was falsifying the claim. And it isn't. And this is the trap.
I've addressed this comment by writing a lot more text here that I think sows the seed. PTAL?
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false. | ||
We'll discuss _who_ can falsify Claims later. | ||
|
||
### Exceptions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be stripped out, but it was added to set the idea for very eager people that there is a limit to where mapping to CM is useful. For example, I saw someone get overly excited about the claimant model and start to define asymmetric key usage using it. You can do it, but it makes things more complicated instead of reducing complexity.
this factorization itself, but it can trivially multiply the factors together to confirm the result. | ||
- Believer will trust Claims from anyone: if the identity of the Claimant is not a factor in the Believer's decision to | ||
perform some action, then the Claimant Model provides little benefit. Such situtations are unfortunately | ||
still common, e.g. installing unsigned software/firmware. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a TODO in the Verification section to continue the narrative there and introduce discoverability. Logs are a mechanism to achieve discoverability for verifiers, so that's the appropriate place to talk about logs IMO.
Does that address your comment, or is there some deeper connection with logs that you think that Claimant Model requires discussing?
compare this to a situation where every Claim is made in a publicly visible forum. | ||
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second | ||
case it would be discovered and a public investigation launched. | ||
This is the motivation for [transparency logs](https://transparency.dev). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand why you think that as the operator of a log. I have tried to stage this doc in a way that leads from the symptoms, to the underlying problem, and then on to the solution. Given that logs are the solution, it feels natural that they should appear later in the doc. Perhaps this is a fallacy though and the majority of readers will be familiar with the concept of logs and delaying introduction of them is unsatisfying.
I'll leave this comment open to reconsider the narrative structure. Perhaps instead of A-B-C-D this should be something more like A-c-B-C-D, i.e. tease the ending near the beginning but without going full https://en.wikipedia.org/wiki/Reverse_chronology.
compare this to a situation where every Claim is made in a publicly visible forum. | ||
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second | ||
case it would be discovered and a public investigation launched. | ||
This is the motivation for [transparency logs](https://transparency.dev). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've since added a TODO to consider adding something like this at the end of the Introduction section. WDYT?
61a52e6
to
dcf72e2
Compare
I've referred to it as a book in a tongue-in-cheek way. It isn't intended to be as long as a book, but there are similarities in that it is intended to be read in order, and should favour accessibility over being absolutely technically correct from the offset.