Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Friendlier intro/discussion for the Claimant Model #2980

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

mhutchinson
Copy link
Contributor

I've referred to it as a book in a tongue-in-cheek way. It isn't intended to be as long as a book, but there are similarities in that it is intended to be read in order, and should favour accessibility over being absolutely technically correct from the offset.

docs/claimantmodel/Book.md Outdated Show resolved Hide resolved

The Claimant Model can be used to describe any system where an actor (`Believer`) performs some trusted action based on some
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the
Believer can not verify that the Claim is true, but believes it because they trust the Claimant.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see later you define the Verifier role, but would it be worth specifying what "verify the Claim" means here? This was something confusing initially, thinking that verifying = signature verification, not accuracy of the claim

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the
Believer can not verify that the Claim is true, but believes it because they trust the Claimant.

The situation above appears in countless settings in our everyday human lives.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you want to expand on this? Provide a non-technical example of a Believer and Claimant?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added an example but I think I backed out of doing this in the first place because I could foresee the objection that an implicit unsigned claim isn't technically a claim according to the claimant model. This is valid, but hopefully the example still provides an onramp for people to relate to the model even if it isn't perfect.

I'm open to replacing this with other examples, or deleting entirely.

(`Claim`) is signed by the correct package maintainer (`Claimant`).

Above we state that it must be possible to verify that the Claim is true.
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a concrete example here, falsifying the TLS certificate claim?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm glad I left this for a day after returning from leave because I think yesterday I would have followed the easy path and written down that verifying the TLS chain was falsifying the claim. And it isn't. And this is the trap.

I've addressed this comment by writing a lot more text here that I think sows the seed. PTAL?

this factorization itself, but it can trivially multiply the factors together to confirm the result.
- Believer will trust Claims from anyone: if the identity of the Claimant is not a factor in the Believer's decision to
perform some action, then the Claimant Model provides little benefit. Such situtations are unfortunately
still common, e.g. installing unsigned software/firmware.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either in this section or somewhere, is it worth explicitly stating that this expects that claims are present/discoverable in a transparency log? That's something that wasn't immediately obvious to me learning the model.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a TODO in the Verification section to continue the narrative there and introduce discoverability. Logs are a mechanism to achieve discoverability for verifiers, so that's the appropriate place to talk about logs IMO.

Does that address your comment, or is there some deeper connection with logs that you think that Claimant Model requires discussing?

compare this to a situation where every Claim is made in a publicly visible forum.
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second
case it would be discovered and a public investigation launched.
This is the motivation for [transparency logs](https://transparency.dev).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part about the motivation of transparency might be useful higher up.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand why you think that as the operator of a log. I have tried to stage this doc in a way that leads from the symptoms, to the underlying problem, and then on to the solution. Given that logs are the solution, it feels natural that they should appear later in the doc. Perhaps this is a fallacy though and the majority of readers will be familiar with the concept of logs and delaying introduction of them is unsatisfying.

I'll leave this comment open to reconsider the narrative structure. Perhaps instead of A-B-C-D this should be something more like A-c-B-C-D, i.e. tease the ending near the beginning but without going full https://en.wikipedia.org/wiki/Reverse_chronology.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've since added a TODO to consider adding something like this at the end of the Introduction section. WDYT?

docs/claimantmodel/Book.md Show resolved Hide resolved
docs/claimantmodel/Book.md Show resolved Hide resolved
docs/claimantmodel/Book.md Show resolved Hide resolved
@phbnf phbnf self-requested a review May 2, 2023 13:08

The Claimant Model can be used to describe any system where an actor (`Believer`) performs some trusted action based on some
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the
Believer can not verify that the Claim is true, but believes it because they trust the Claimant.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

This means that all Claims must be _falsifiable_, i.e. they are able to be proven false.
We'll discuss _who_ can falsify Claims later.

### Exceptions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder whether this section could be stripped out entirely. I think these are two examples of systems where transparency log would not really add anything. While it might seems clear to someone familiar with transparency ecosystems and logs, other people less familiar with these systems should realise this going through the exercise of writing the claimant model.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be stripped out, but it was added to set the idea for very eager people that there is a limit to where mapping to CM is useful. For example, I saw someone get overly excited about the claimant model and start to define asymmetric key usage using it. You can do it, but it makes things more complicated instead of reducing complexity.


## Trust

Any ecosystem where the Claimant Model is [applicable](#applicability) has potential for exploit.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get what you mean, but I find this quite negative. It seems like the Claimant model is incomplete, and allows for exploit, when in really it gives you the framework to think about these exploits.

How about something like "Claims made by the Claimant can be true of false. Since they are trusted by the Believers, a false Claim made under the identity of the Claimant would be believed by a Believer, and they would
perform some trusted action based on this false Claim.
The claimant model describes clarifies the relationship and incentives between Actors such that Believers can safely perform actions based on Claims."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm glad that this sentence was provocative. I think a little spice is required at points through long text to keep the interest and prompt alertness. That said, I don't want the takeaway from this to be "claimant model = bad".

I've added some more text here that I think turns this bold statement about exploitation into a motivation for using the claimant model instead of running away from it. PTAL?

docs/claimantmodel/Book.md Show resolved Hide resolved
I've referred to it as a book in a tongue-in-cheek way. It isn't intended to be as long as a book, but there are similarities in that it is intended to be read in order, and should favour accessibility over being absolutely technically correct from the offset.
Copy link
Contributor Author

@mhutchinson mhutchinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great comments, thanks for the engagement. I'm feeling that this is still miles away from done, but hopefully the latest changes take it a step in the right direction.

docs/claimantmodel/Book.md Outdated Show resolved Hide resolved
information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the
Believer can not verify that the Claim is true, but believes it because they trust the Claimant.

The situation above appears in countless settings in our everyday human lives.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added an example but I think I backed out of doing this in the first place because I could foresee the objection that an implicit unsigned claim isn't technically a claim according to the claimant model. This is valid, but hopefully the example still provides an onramp for people to relate to the model even if it isn't perfect.

I'm open to replacing this with other examples, or deleting entirely.

(`Claim`) is signed by the correct package maintainer (`Claimant`).

Above we state that it must be possible to verify that the Claim is true.
This means that all Claims must be _falsifiable_, i.e. they are able to be proven false.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm glad I left this for a day after returning from leave because I think yesterday I would have followed the easy path and written down that verifying the TLS chain was falsifying the claim. And it isn't. And this is the trap.

I've addressed this comment by writing a lot more text here that I think sows the seed. PTAL?

This means that all Claims must be _falsifiable_, i.e. they are able to be proven false.
We'll discuss _who_ can falsify Claims later.

### Exceptions
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be stripped out, but it was added to set the idea for very eager people that there is a limit to where mapping to CM is useful. For example, I saw someone get overly excited about the claimant model and start to define asymmetric key usage using it. You can do it, but it makes things more complicated instead of reducing complexity.

this factorization itself, but it can trivially multiply the factors together to confirm the result.
- Believer will trust Claims from anyone: if the identity of the Claimant is not a factor in the Believer's decision to
perform some action, then the Claimant Model provides little benefit. Such situtations are unfortunately
still common, e.g. installing unsigned software/firmware.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a TODO in the Verification section to continue the narrative there and introduce discoverability. Logs are a mechanism to achieve discoverability for verifiers, so that's the appropriate place to talk about logs IMO.

Does that address your comment, or is there some deeper connection with logs that you think that Claimant Model requires discussing?

compare this to a situation where every Claim is made in a publicly visible forum.
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second
case it would be discovered and a public investigation launched.
This is the motivation for [transparency logs](https://transparency.dev).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand why you think that as the operator of a log. I have tried to stage this doc in a way that leads from the symptoms, to the underlying problem, and then on to the solution. Given that logs are the solution, it feels natural that they should appear later in the doc. Perhaps this is a fallacy though and the majority of readers will be familiar with the concept of logs and delaying introduction of them is unsatisfying.

I'll leave this comment open to reconsider the narrative structure. Perhaps instead of A-B-C-D this should be something more like A-c-B-C-D, i.e. tease the ending near the beginning but without going full https://en.wikipedia.org/wiki/Reverse_chronology.

docs/claimantmodel/Book.md Show resolved Hide resolved
docs/claimantmodel/Book.md Show resolved Hide resolved
docs/claimantmodel/Book.md Show resolved Hide resolved
compare this to a situation where every Claim is made in a publicly visible forum.
In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second
case it would be discovered and a public investigation launched.
This is the motivation for [transparency logs](https://transparency.dev).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've since added a TODO to consider adding something like this at the end of the Introduction section. WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants