Alternative Cryptographic Ledger (Trillian)

[paragonie-scott]

Note: This is a "scoped for the future" milestone item. Not an immediate goal.

When the appropriate change has landed, ecosystems will be able to write to a Chronicle or Trillian, or to both.

Some other projects (e.g. Go, Firefox) already use a Trillian personality to accomplish a similar security goal.

For the sake of interoperation (and/or just flat-out piggybacking off their security analysis). we may want to integrate with Trillian as well.

These are the only two I plan on ever supporting in my design, and only if it's worthwhile. For the time being, just Chronicle is fine.

[Foxboron]

sigstore is currently a transparency log intended for build system artifacts that supports several package types built on trillian. There is currently some traction in container ecosystem and distro ecosystems to adopt it as the transparency log.

It also has some solutions for signatures, but that might not be super interesting if it doesn't fit the gossamer scheme. However it might be interesting to piggyback on this directly.

Implemented type:
https://github.com/sigstore/rekor/tree/main/pkg/types

Prosject site: https://www.sigstore.dev/

The only downside is that there is no PHP code for this yet. So there is some effort requires to support that part.

For a practical example there is this POC which adds Binary Transparency to pacman: https://github.com/kpcyrd/pacman-bintrans/