Simon Josefsson simon@josefsson.org writes:
Do you have any objection to the following text snippet? What could you suggest as improvement? I picked 5 AW witnesses from your list.
It's a bit unclear to me what reliability to expect from the AW witnesses, but it makes sense to me as a starting point.
And as usual, availability of logs and witnesses matters at the time that you need to make a new release. It doesn't matter at all at verificatino time, since that's offline.
Maybe with a somewhat more verbose name for the GTF group (I guess it's an abbreviation for google trust fabric, but I guess that's unobvious to users).
Wouldn't it be more reliable to include two different logs, possibly with 2/3 witnesses each? Having a single point of control on the 'seasalp.glasklar.is' domain name seems like a serious problem to me. Hard-coding IP addresses? Tor onion name?
It would be good to have additional logs, for reliability. But as far as I'm aware, for now seasalp is the only available one with any intention to operate reliably.
Adding a tor onion address is certainly doable, but it's not entirely clear to me what benefits you get; the log is authenticated using its key, so what you'd protect against is attacks on the DNS lookup or attacks on routing or ip-based filtering somewhere in the middle of the routing path?
Can I specify a quorum group requiring inclusion into two different logs with one witness each? Is there an example of a trust policy with multiple logs, and multiple witness from each, and some quorum setting? Can one witness validate multiple logs?
When adding multiple logs to the policy, the semantics is that any of them is fine. Verifier accepts any of them, submitters submit to a randomly selected available log, and monitors should monitor *all* the listed logs.
And the expectation is that you would have more or less the same set of witnesses cosigning all logs in your policy. We'll put that to the test for the next log that someone wants top operate, and which we'd then like to be witnessed by both AW and by the glasklar witness that should materialize soon.
The same quorum in the policy applies regardless of which log was used. If we used a separate quorum for each log, I think that would make analysis of split view attacks a lot harier.
Regards, /Niels