There are a lot of places a signature may cover a hash but the preimage is unknown. We can't distinguish unknown preimage (e.g. CA signed some garbage) from a hash whose preimage contains something nefarious, so I think we need to discuss this a bit, and whether this breaks transparency.
The story for most of these is:
This indicates misbehavior by the CA
But we broadly don't care because the TS won't forward if it can't reconstruct the tree
But we should write it down. #49 is interesting, however. Starting with #49, it is possible for a CA to sign over an abridged assertion with hash with unknown preimage. We need to be very clear that it doesn't matter whether anyone can produce the preimage. If the CA signs over that abridged assertion, they have attested to it. This is an interesting subtlety: the CA attests to abridged assertions and not every abridged assertion necessarily corresponded to an assertion.
bwesterb
commented
1 year ago
There are a lot of places a signature may cover a hash but the preimage is unknown. We can't distinguish unknown preimage (e.g. CA signed some garbage) from a hash whose preimage contains something nefarious, so I think we need to discuss this a bit, and whether this breaks transparency.
The story for most of these is:
But we should write it down. #49 is interesting, however. Starting with #49, it is possible for a CA to sign over an abridged assertion with hash with unknown preimage. We need to be very clear that it doesn't matter whether anyone can produce the preimage. If the CA signs over that abridged assertion, they have attested to it. This is an interesting subtlety: the CA attests to abridged assertions and not every abridged assertion necessarily corresponded to an assertion.
I'll see about putting together some text.