Convert signing.rst to markdown

Signed-off-by: Aaron Raimist <aaron@raim.ist>

docs/signing.md

@@ -1,20 +1,4 @@
-.. Copyright 2016 OpenMarket Ltd
+# Signature keys and user identity in libolm
-..
-.. Licensed under the Apache License, Version 2.0 (the "License");
-.. you may not use this file except in compliance with the License.
-.. You may obtain a copy of the License at
-..
-..     http://www.apache.org/licenses/LICENSE-2.0
-..
-.. Unless required by applicable law or agreed to in writing, software
-.. distributed under the License is distributed on an "AS IS" BASIS,
-.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-.. See the License for the specific language governing permissions and
-.. limitations under the License.
-
-
-Signature keys and user identity in libolm
-==========================================
 
 The use of any public-key based cryptography system such as Olm presents the
 need for our users Alice and Bob to verify that they are in fact communicating
@@ -23,13 +7,13 @@ out-of-band process in which Alice and Bob verify that they have the correct
 public keys for each other. For example, this might be done via physical
 presence or via a voice call.
 
-In the basic `Olm <olm.html>`_ protocol, it is sufficient to compare the public
+In the basic [Olm][] protocol, it is sufficient to compare the public
 Curve25519 identity keys. As a naive example, Alice would meet Bob and ensure
 that the identity key she downloaded from the key server matched that shown by
 his device. This prevents the eavesdropper Eve from decrypting any messages
 sent from Alice to Bob, or from masquerading as Bob to send messages to Alice:
 she has neither Alice's nor Bob's private identity key, so cannot successfully
-complete the triple-DH calculation to compute the shared secret, :math:`S`,
+complete the triple-DH calculation to compute the shared secret, $`S`$,
 which in turn prevents her decrypting intercepted messages, or from creating
 new messages with valid MACs. Obviously, for protection to be complete, Bob
 must similarly verify Alice's key.
@@ -41,7 +25,7 @@ one-time keys. Curve25519 keys are intended for use in DH calculations, and
 their use to calculate signatures is non-trivial.
 
 The solution adopted in this library is to generate a signing key for each
-user. This is an `Ed25519`_ keypair, which is used to calculate a signature on
+user. This is an [Ed25519][] keypair, which is used to calculate a signature on
 an object including both the public Ed25519 signing key and the public
 Curve25519 identity key. It is then the **public Ed25519 signing key** which is
 used as the device fingerprint which Alice and Bob verify with each other.
@@ -50,8 +34,7 @@ By verifying the signatures on the key object, Alice and Bob then get the same
 level of assurance about the ownership of the Curve25519 identity keys as if
 they had compared those directly.
 
-Signing one-time keys
+## Signing one-time keys
----------------------
 
 The Olm protocol requires users to publish a set of one-time keys to a key
 server. To establish an Olm session, the originator downloads a key for the
@@ -60,19 +43,20 @@ is left to the application. There are both advantages and disadvantages to
 doing so.
 
 Consider the scenario where one-time keys are unsigned. Alice wants to initiate
-an Olm session with Bob. Bob uploads his one-time keys, :math:`E_B`, but Eve
+an Olm session with Bob. Bob uploads his one-time keys, $`E_B`$, but Eve
-replaces them with ones she controls, :math:`E_E`. Alice downloads one of the
+replaces them with ones she controls, $`E_E`$. Alice downloads one of the
-compromised keys, and sends a pre-key message using a shared secret :math:`S`,
+compromised keys, and sends a pre-key message using a shared secret $`S`$,
 where:
 
-.. math::
+```math
-    S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
+S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
-         \parallel\;ECDH\left(E_A,\,E_E\right)
+        \parallel\;ECDH\left(E_A,\,E_E\right)
+```
 
 Eve cannot decrypt the message because she does not have the private parts of
-either :math:`E_A` nor :math:`I_B`, so cannot calculate
+either $`E_A`$ nor $`I_B`$, so cannot calculate
-:math:`ECDH\left(E_A,\,I_B\right)`. However, suppose she later compromises
+$`ECDH\left(E_A,\,I_B\right)`$. However, suppose she later compromises
-Bob's identity key :math:`I_B`. This would give her the ability to decrypt any
+Bob's identity key $`I_B`$. This would give her the ability to decrypt any
 pre-key messages sent to Bob using the compromised one-time keys, and is thus a
 problematic loss of forward secrecy. If Bob signs his keys with his Ed25519
 signing key (and Alice verifies the signature before using them), this problem
@@ -81,38 +65,38 @@ is avoided.
 On the other hand, signing the one-time keys leads to a reduction in
 deniability. Recall that the shared secret is calculated as follows:
 
-.. math::
+```math
-        S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
+S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
-            \parallel\;ECDH\left(E_A,\,E_B\right)
+    \parallel\;ECDH\left(E_A,\,E_B\right)
+```
 
-If keys are unsigned, a forger can make up values of :math:`E_A` and
+If keys are unsigned, a forger can make up values of $`E_A`$ and
-:math:`E_B`, and construct a transcript of a conversation which looks like it
+$`E_B`$, and construct a transcript of a conversation which looks like it
 was between Alice and Bob. Alice and Bob can therefore plausibly deny their
 partition in any conversation even if they are both forced to divulge their
 private identity keys, since it is impossible to prove that the transcript was
 a conversation between the two of them, rather than constructed by a forger.
 
-If :math:`E_B` is signed, it is no longer possible to construct arbitrary
+If $`E_B`$ is signed, it is no longer possible to construct arbitrary
 transcripts. Given a transcript and Alice and Bob's identity keys, we can now
 show that at least one of Alice or Bob was involved in the conversation,
-because the ability to calculate :math:`ECDH\left(I_A,\,E_B\right)` requires
+because the ability to calculate $`ECDH\left(I_A,\,E_B\right)`$ requires
-knowledge of the private parts of either :math:`I_A` (proving Alice's
+knowledge of the private parts of either $`I_A`$ (proving Alice's
-involvement) or :math:`E_B` (proving Bob's involvement, via the
+involvement) or $`E_B`$ (proving Bob's involvement, via the
 signature). Note that it remains impossible to show that *both* Alice and Bob
 were involved.
 
 In conclusion, applications should consider whether to sign one-time keys based
 on the trade-off between forward secrecy and deniability.
 
-License
+## License
--------
 
-This document is licensed under the `Apache License, Version 2.0
+This document is licensed under the Apache License, Version 2.0
-<http://www.apache.org/licenses/LICENSE-2.0>`_.
+http://www.apache.org/licenses/LICENSE-2.0.
 
-Feedback
+## Feedback
---------
 
 Questions and feedback can be sent to olm at matrix.org.
 
-.. _`Ed25519`: http://ed25519.cr.yp.to/
+[Ed25519]: http://ed25519.cr.yp.to/
+[Olm]: https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/olm.md