Rasmus Dahlberg rgdd@glasklarteknik.se writes:
I'd suggest using a majority policy (8/15 cosignatures). Such a policy for seasalp would look like this:
Implications of such a policy (if employed by both monitors and verifiers, and if we don't want to rely on additional checks on the monitor side) is that an attacker can publish split views without detection, if the attacker is able to compromise the log itself, and *one* of the listed witness devices. (Each view is shown to 7 of the honest witnesses, which will then cosign it. While the compromised device cosigns *both* views, and then each view will carry 8 valid cosignatures).
To be sensitive to an attack compromising log + a single device may sound bad, but it could make good sense under the theory that the easiest attack on the armored witnesses is via compromise of its software updates, and that kind of attack could just as easily compromise them all as only one device.
Bottomline: I agree such a policy is a reasonable starting point.
Regards, /Niels