In the current version of Wax we apply the above one-time signature at the catalogue level. Each catalogue contains the hashes of all relevant books which can then be simply authenticated via the catalogue. We also link our catalogues together. We include in each signed catalogue seven public keys with which further editions of the catalogue, and other material from the same publisher, can be authenticated. This means that the chain of trust is broken if a user skips too many updates; in that case, he has to verify the public key of the new update using the same out-of-band mechanisms employed when the system was initially loaded and which we describe below.
For the initialisation of the chain of trust the Wax-centre generates eight key pairs . The first catalogue ( ) contains the hashes of its associated files and the next public keys: . It is signed using the first private key: . As mentioned above is destroyed but the remaining 's are kept for the following distributions.
For the ith delivery a new key pair is generated and a new catalogue prepared:
Including the hash of the previous catalogue(s) into the current one prevent from denial of content attacks. Again, , the private key used for signature, is destroyed.
In order to bootstrap the trust in the system, each user is required to verify the public key of this initial shipment. A number of channels are provided for this, which is tightly bound up with the problem of trusted distribution. Initial deployment is by means of a mass mailing of CDs (stuck to the cover of an appropriate medical journal); electronic distributions are also available with authentication provided by the available mechanisms (such as PGP signatures, published MD5 hashes in medical journals, and download using SSL from a `secure' web site).
The version of Wax that used RSA and X.509 had some further mechanisms, that were involved with users registering public keys of their own to the system; the corresponding private keys were used to generate signatures on books generated locally (such as treatment protocols developed in an individual medical practice) and also to generate counter-signatures on catalogues which had been downloaded and verified (as an extra precaution against virus attacks and the like).
On reviewing this design we concluded that the local use of public key cryptography added little. A medical practice which is going to publish a locally developed treatment protocol will as a matter of basic safety submit it to a peer review process, and thus all publication either is intermediated or can easily be made so. As for virus attack, the use of local signatures really only adds a modest layer of `security through obscurity' as a virus written after study of the Wax code could alter the local public key and, absent tamper resistant processors, there appears to be no way to stop this.