|
| 1 | +# Claimant Model In-Depth |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +The Claimant Model is very concisely introduced in the [Core Model](./CoreModel.md). |
| 6 | +While this concise documentation works well as a refresher for those that already understand the model, it has |
| 7 | +empirically proved to be a tough introduction to those new to the domain. |
| 8 | +This longer form text on the Claimant Model serves as a more gentle on-ramp to understanding this powerful tool. |
| 9 | + |
| 10 | +This text is broken into sections, but is intended to be read from start to finish. |
| 11 | + |
| 12 | +## Motivation |
| 13 | + |
| 14 | +Prior to the Claimant Model being developed, new transparency projects were designed by copying and modifying |
| 15 | +patterns from existing deployments, most notably [Certificate Transparency](https://certificate.transparency.dev/) (CT). |
| 16 | +While this allows those familiar with CT to reach consensus on a rough design quickly, it has a number of drawbacks: |
| 17 | + |
| 18 | +1. Those that don't already understand CT now have to read [RFC 6962](https://www.rfc-editor.org/rfc/rfc6962) to understand |
| 19 | + the domain that the other designers are drawing from |
| 20 | +1. There are still terms in CT that people disagree on the precise definition of (e.g. Auditor and Monitor) |
| 21 | +1. CT uses mechanisms such as SCTs that transparency systems should aim to avoid unless strictly necessary |
| 22 | +1. Any differences in the roles, interactions, actors, or motivations between CT and the new system being designed can |
| 23 | + have knock-on effects that can undermine the security properties achieved |
| 24 | + |
| 25 | +With this in mind, a clean, role-based model for describing transparency systems was required, and the Claimant Model was born. |
| 26 | + |
| 27 | +## Applicability |
| 28 | + |
| 29 | +The Claimant Model can be used to describe any system where an actor (`Believer`) performs some trusted action based on some |
| 30 | +information (`Claim`) provided to them by a trusted third-party (`Claimant`). There is _usually_ an asymmetry, where the |
| 31 | +Believer can not verify that the Claim is true, but believes it because they trust the Claimant. |
| 32 | + |
| 33 | +The situation above appears in countless settings in our everyday human lives. |
| 34 | +On a technical level, this also happens frequently, often invisibly to the user. |
| 35 | +For example, when a Chrome browser (`Believer`) receives a TLS certificate (`Claim`) for a domain, it only performs |
| 36 | +the connection (trusted action) if the certificate is issued by a Certificate Authority (`Claimant`) that chains to its |
| 37 | +trusted roots. |
| 38 | +As another example, a software package manager (`Believer`) will only install software (trusted action) when the package |
| 39 | +(`Claim`) is signed by the correct package maintainer (`Claimant`). |
| 40 | + |
| 41 | +Above we state that it must be possible to verify that the Claim is true. |
| 42 | +This means that all Claims must be _falsifiable_, i.e. they are able to be proven false. |
| 43 | +We'll discuss _who_ can falsify Claims later. |
| 44 | + |
| 45 | +### Exceptions |
| 46 | + |
| 47 | +There are some situations that the Claimant Model _could_ be used to describe, but taking the time to do so would be a poor |
| 48 | +return on investment, or more simply, just confuse a situation that can be easily stated in simpler terms. |
| 49 | + |
| 50 | +- Believer can trivially verify the Claim: trust in the Claimant is a non-factor in this case. For example, if a web |
| 51 | + service exists that can return the prime factors of some large number, the Believer may not have been able to perform |
| 52 | + this factorization itself, but it can trivially multiply the factors together to confirm the result. |
| 53 | +- Believer will trust Claims from anyone: if the identity of the Claimant is not a factor in the Believer's decision to |
| 54 | + perform some action, then the Claimant Model provides little benefit. Such situtations are unfortunately |
| 55 | + still common, e.g. installing unsigned software/firmware. |
| 56 | + |
| 57 | +## Trust |
| 58 | + |
| 59 | +Any ecosystem where the Claimant Model is [applicable](#applicability) has potential for exploit. |
| 60 | +Specifically, a false Claim made under the identity of the Claimant would be believed by a Believer, and they would |
| 61 | +perform some trusted action they would not have made given a true Claim. |
| 62 | + |
| 63 | +### Motivations for Betraying Trust |
| 64 | + |
| 65 | +There are many reasons that a Claimant may make incorrect Claims, and these are worth considering along with a threat model. |
| 66 | +As a non-exhaustive list of reasons that a Claimant may make a false claim: |
| 67 | +- Accidental: |
| 68 | + - Bugs in code that the Claimant runs |
| 69 | + - Human error in following process |
| 70 | + - Massively unlikely, but [possible](https://www.agwa.name/blog/post/how_ct_logs_fail) random uncontrollable events |
| 71 | +- Greed: the Claimant decided that abusing their trust was financially more beneficial than continuing operating in |
| 72 | + a trustworthy manner (e.g. exit scams in the cryptocurrency world) |
| 73 | +- Compromise: |
| 74 | + - Insider Threat: a single agent at the company has motivation to exploit trust |
| 75 | + - Leverage: a third-party could coerce the Claimant into betraying trust |
| 76 | + - Compromise: actors that breach the Claimant security mechanisms could issue false claims directly by stealing signing keys, |
| 77 | + or change code or playbooks in such a way that the Claimant themselves issues false claims |
| 78 | + |
| 79 | +There are also pressures in the opposite direction, i.e. motivations to *never* issue a bad claim. |
| 80 | +Consider the situation where each Claim is provided to a single Believer who would never realize the Claim was bad, and then |
| 81 | +compare this to a situation where every Claim is made in a publicly visible forum. |
| 82 | +In the first situation, maybe a Claimant could be coerced into making a bad Claim "just this one time", where in the second |
| 83 | +case it would be discovered and a public investigation launched. |
| 84 | +This is the motivation for [transparency logs](https://transparency.dev). |
| 85 | + |
| 86 | +## Verification |
| 87 | + |
| 88 | +Given enough time, potential motivation, and/or bad luck, any Claimant could issue a false Claim. |
| 89 | +The question is how to make a system with enough security given this fact. |
| 90 | + |
| 91 | +Earlier we established that Claims must be falsifiable, but that in general the Believer will not be able |
| 92 | +to perform this verification. |
| 93 | +Thus we introduce the role of the `Verifier`, which will be able to verify all Claims in a system. |
| 94 | + |
| 95 | +TODO: link to sidebar discussing roles vs actors: the Verifier role does not imply there is a single actor that must |
| 96 | +be able to verify all the claims. |
| 97 | + |
| 98 | +## More Precision |
| 99 | + |
| 100 | +In the interests of making the above as accessible to newcomers as possible, some amount of precision has |
| 101 | +been sacrificed. |
| 102 | +If you're still following along at this point, then it seems like a good time to discuss some topics that |
| 103 | +aren't necessarily difficult, but cross-cut the model in ways that make it too overwhelming to introduce earlier. |
| 104 | + |
| 105 | +### Statements vs Claims |
| 106 | + |
| 107 | +We have used the term Claim until this point to mean two related, but conceptually distinct things: |
| 108 | +- A falsifiable logical statement |
| 109 | +- Data |
| 110 | + |
| 111 | +The first of these is the correct usage of `Claim`: a falsifiable logical statement made by the Claimant. |
| 112 | +The second of these is often referred to as the Claim at high levels, but where precision is required we should refer |
| 113 | +to this as the `Statement`. |
| 114 | + |
| 115 | +A Statement must be issued by the Claimant and it must be possible to construct the Claim from it. |
| 116 | +In practical scalable systems, Statements are determined to have been issued by a Claimant by the presence of |
| 117 | +a digital signature over the Statement. |
| 118 | + |
| 119 | +### Composite Claims |
| 120 | + |
| 121 | +Thus far we've referred to the Believer taking action based on a single Claim. |
| 122 | +This isn't incorrect, but at times it is useful to consider a single Claim as multiple sub-claims. |
| 123 | +In particular, this is useful when a claim has multiple sub-claims that can be verified by different actors. |
| 124 | + |
| 125 | +TODO: example |
| 126 | + |
| 127 | +## Other Reading |
| 128 | + |
| 129 | +- [Transparency: An Implementer's Story](https://transparency.dev/articles/transparency-an-implementers-story/) provides a short, |
| 130 | + narrative-driven journey that would be useful to those understanding how to upgrade their existing security posture to include logs. |
0 commit comments