Hi list, I recently developed a small tool to create offline mirrors of some of the logs.
I wrote it when I realized that bootstrapping a monitor to try and validate a whole log from scratch can be difficult. The difficulties come from: - a slow download procedure (some log get-entries calls can be relatively slow (seconds and sometimes tens of seconds per query) - if, for whatever reason, a get-entries response is corrupted, the root hash will be incorrect. If the user has no access to intermediate STH, there is no way to narrow down and track the corrupted get-entries result. The user can only start over. I also think that Chrom(e|ium) does not currently fully implement the auditor role. On Fri, Oct 28, 2016 at 1:16 AM, Ryan Sleevi wrote: > Although CT is designed to prevent the damage any one of these > organizations can do, it relies on a fully functioning ecosystem of > gossip and accountability. I've repeatedly made clear that we're > committed to moving towards that system, but I don't think it would be > wise to create a false sense of urgency and suggest it be relaxed. I > say this because relaxing, prior to that robustness, would > particularly benefit organizations who may not be able to ensure their > employees follow proper procedures, or which may not keep up to date > with changes in the log policy, as that could allow for misissuance to > happen without detection, or through coercion. > > Again, we're very much committed to the long term and exploring ways > to relax the policy, but at present, Chrome feels that while it's > reasonable to (for the short-term), trust Google to be honest, it's > not reasonable to trust all logs to do so. Which is why the policy > exists :) As such, I think that Google initiative to set up mirrors is a valid temporary approach, which helps mitigating split view attacks. My tool assists the creation of offline mirrors, by: - downloading the log entries; - building partial tree hashes; - generating Bittorrent metainfo files to allow these mirrors to be downloaded quickly; - providing ways to verify partial downloads. You may find some documentation and the torrents I generated at the following website: https://www.x-cli.eu/ct New torrents will be published every week or so, with the latest entries. The source code of my tool is available at: <goog_2082899890> https://github.com/X-Cli/ATBTCT Cheers, Florian
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
