get rid of policy download signature, explain upload signature better

1 files changed, 3 insertions, 16 deletions

diff --git a/doc/sphinx/cryptography.rst b/doc/sphinx/cryptography.rst
index 6c25fc0..a38f6e7 100644
--- a/doc/sphinx/cryptography.rst
+++ b/doc/sphinx/cryptography.rst
@@ -233,7 +233,9 @@ Signatures
 ----------
 
 The EdDSA keys are used to sign the data sent from the client to the
-server. Everything the client sends to server is signed. The following
+server. This signature ensures that an adversary that observes the upload is not
+able to upload a new version of the policy without knowing the user's identity attributes.
+The signature is made over a hash of the request body. The following
 algorithm is equivalent for **Anastasis-Policy-Signature**.
 
 .. code-block:: none
@@ -248,21 +250,6 @@ algorithm is equivalent for **Anastasis-Policy-Signature**.
 **ver_res**: A boolean value. True: Signature verification passed, False: Signature verification failed.
 
 
-When requesting policy downloads, the client must also provide a signature:
-
-.. code-block:: none
-
-    (anastasis-account-signature) := eddsa_sign(version, eddsa_priv)
-    ver_res := eddsa_verifiy(version, anastasis-account-signature, eddsa_pub)
-
-**anastasis-account-signature**: Signature over the SHA-512 hash of the body using the purpose code ``TALER_SIGNATURE_ANASTASIS_POLICY_DOWNLOAD`` (1401) (see GNUnet EdDSA signature API for the use of purpose).
-
-**version**: The version requested as a 64-bit integer, 2^64-1 for the "latest version".
-
-**ver_res**: A boolean value. True: Signature verification passed, False: Signature verification failed.
-
-
-
 Availability Considerations
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^