From 2dd7cdc11d4e40fbcec19514ea79af639d0730e3 Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rgdd@glasklarteknik.se>
Date: Fri, 1 Nov 2024 10:43:09 +0100
Subject: Reference Andrew Ayer's related work

Closes #2.
---
 docs/design.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/design.md b/docs/design.md
index 83f2b59..2e21f12 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -98,3 +98,19 @@ can do is replay or block integrity-protected files that a system generated.
 "Replays" can happen either way because the monitor polls periodically, i.e.,
 the monitor needs to account for the fact that it may poll the same file twice.
 Blocking can not be solved by cryptography and would simply result in alerts.
+
+## Related work
+
+The commercial version of `certspotter` supports a push-based method for
+[authorizing][] legitimately issued certificates.  The monitor does its
+authentication using HTTP tokens.  In contrast, the silentct design is:
+
+  1. Safe against attackers that MitM the communication to the monitor, i.e.,
+     message authentication codes are used instead of HTTP access tokens.
+  2. Applicable in asynchronous workflows, i.e., the monitor does not need to
+     always be online and listen for allowlist requests on a public address.
+
+The initial authors of silentct were not aware of Andrew Ayer's related work
+before [this thread](https://follow.agwa.name/notice/AmyLDdYcAqF2p5sG24).
+
+[authorizing]: https://sslmate.com/help/reference/certspotter_authorization_api
-- 
cgit v1.2.3