How to design a verifiable system

Is anyone monitoring the integrity of your data, or could it be tampered without anyone spotting it?

Is anyone verifying the authenticity of the data in the log, or are you blindly trusting it?

Are you logging enough to actually gain a benefit? Or too much and you risk releasing something sensitive?

Design a verifiable system and get more from your log

For a system to be verifiable, you need to think more carefully about what you're logging and why. Who relies on the log? Who can verify its contents and how? What is actually necessary to log to achieve this?

  • You’ll have a way to track the integrity of your data without having to duplicate it
  • You’ll be able to invite third-parties to verify your records and prove to them that you're handling data as you claim to
  • You’ll be able to confidently build components that rely on the data in your log

Exercise #1

Clarify your verifiable system design

We’ve designed a series of questions to help you start thinking about the design of your verifiable system.

  • Clarify what you mean by a malicious log entry
  • Identify who’s relying on the log
  • Identify who’s verifying the log
  • ... and more

Each question has worked examples that you can learn from. By the end of the exercise, you should have a better idea of your design for your verifiable system.

You could work through these questions alone or with your team, a bit like you might when doing a threat model.

Start the exercise

Exercise #2

Perform a formal analysis

The Claimant Model is a framework you can use to define the roles and artifacts in your verifiable system.

  • A precise way to represent your system design
  • Share your system design with other people

The Claimant Model will help you get precise about the design of your verifiable system. This guide takes you step-by-step through how to map the Claimant Model for binary transparency.

Start the exercise

The theory of claims

The theory behind the Claimant Model is that Verifiable systems revolve around a central claim. A claim is something that’s trusted to be true in order to take a particular action.

For example, before installing a software update, a phone’s updater app trusts the claim “Software update v1.2 was really made by PhoneCo” made by the manufacturer, PhoneCo.

Without a verifiable system, the updater app blindly trusts the digital signature from PhoneCo. This does offer a level of protection. But it doesn’t offer any visibility of a malicious update issued to a targeted user in the event that their signing key was stolen.

The Claimant Model helps PhoneCo design transparency and discoverabilty into their system, adding a layer of protection beyond cryptographic signing. Now they can detect malicious updates and discover if their keys are compromised.

The Claimant Model gives you a framework for describing:

  1. The trusted claims being made
  2. Who is making the claims
  3. Who believes the claims and what actions they take as a result
  4. Who can verify the claims and who can catch false claimants.

Examples of using the Claimant Model

Below are two examples of applying the claimant model to Trillian based solutions:

Certificate transparency

Claimant Any Certificate Authority
Claim I, ${CertificateAuthority}, am authorized to issue $cert for $domain
Believer Browser (user agent)
Verifier Domain Owners
Action Browser trusts certificate to encrypt communication with web server

Read more about Certificate transparency

Golang module transparency

Claimant Proxy
Claim I, ${Proxy}, will return only $hash as the checksum for $module at $version
Believer Go client-side tool
Verifier Anyone checking that each module and version appears at most once
Action Go client-side tool trusts the code it’s downloaded for $module at $version

Read more about Golang module transparency

Exercise #1

Clarify your verifiable system design

We’ve designed a series of questions to help you start thinking about the design of your verifiable system.

Start the exercise

Exercise #2

Perform a formal analysis

The Claimant Model will help you get precise about the design of your verifiable system.

Start the exercise