Comments (8)
AlCutter
commented on May 3, 2024
There are other potential solutions too:
e.g. a deterministic function which looks at each Trillian STH, and determines whether it should be promoted to a CT STH (noddy example: TrillianSTH.RootHash%n == 0) - this should result in tuneably fewer STHs being emitted by the Log. And since the function is deterministic, each CTFE would naturally promote the same selection of Trillian STHs without requiring any form of coordination. (I can see a few wrinkles in here, but it's an avenue of thought at least.)
from certificate-transparency-go.
Martin2112
commented on May 3, 2024
Initially we were going to mark the promoted ones in the database, and I
started to implement that before we changed our minds. That's probably not
the right way to do it.
Using something like TrillianSTH.RootHash%n leaves you open to bad luck -
OK it would have to be really bad run of luck. Also a log that has small
amounts of traffic wouldn't be generating many candidate STHs. I think this
can be worked around though via the tunable levers.
…On 9 November 2017 at 11:05, Al Cutter ***@***.***> wrote:
There are other potential solutions too:
e.g. a deterministic function which looks at each Trillian STH, and
determines whether it should be promoted to a CT STH (noddy example: TrillianSTH.RootHash%n
== 0) - this should result in tuneably fewer STHs being emitted by the
Log. And since the function is deterministic, each CTFE would naturally
promote the same selection of Trillian STHs without requiring any form of
coordination. (I can see a few wrinkles in here, but it's an avenue of
thought at least.)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#105 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AMv2Tx4cnOxSSRCi1NZlM4tak1aWlNfSks5s0tyOgaJpZM4QXNJv>
.
from certificate-transparency-go.
daviddrysdale
commented on May 3, 2024
So I guess there are two factors that make STHs more individually identifiable for Trillian than for previous log implementations:
a) The Trillian logsigner runs very frequently, and so issues STH more frequently & with finer granularity (i.e. smaller gap in tree size between one STH and the next).
b) The CTFE re-signs every time it is asked for an STH.
An initial pair of simplistic things to do might be to:
a) Increase the --sequencer_interval for the logsigner to something larger (5m?)
b) Have each CTFE instance locally cache the last-sth signature, and re-use the signature if the Trillian backend returns the same log root as previously.
Those are both easy to do, but are they enough to reduce the fingerprinting concerns?
from certificate-transparency-go.
AlCutter
commented on May 3, 2024
Simple-thing-do-to-(a) will only work if there are fewer than batch_size certs coming along within whatever value you set --sequencer_interval to, I think. In the case where there's more work to do that can be done in one batch, the sequencer should be busy looping until it's cleared the backlog, and that'll produce a series of Trillian STHs in quick succession.
from certificate-transparency-go.
Martin2112
commented on May 3, 2024
Do we think the STH cache is enough for the moment or should we do more?
from certificate-transparency-go.
paulmattei
commented on May 3, 2024
@rolandshoemaker running through our backlog. Per Martin's comment, is the STH cache sufficient? Thanks!
from certificate-transparency-go.
rolandshoemaker
commented on May 3, 2024
Seems like a reasonable solution to me.
from certificate-transparency-go.
pavelkalinnikov
commented on May 3, 2024
Closing. Will re-open if STH cache becomes insufficient.
from certificate-transparency-go.
Related Issues (20)
- There is a bug in GetLeavesByRange
- CT log worker stops unexpectedly - Failed to obtain bigger STH HOT 2
- Question regarding verbose logs upon CT fetcher startup HOT 2
- questions about local deployment of certificate-transparency HOT 1
- question about the shell scriptts in CT Log Deployment (Manual) HOT 4
- KMS/HSM support HOT 3
- CT Log Deployment (Manual) is COMPLETELY OUTDATED HOT 13
- Remove lint exceptions and fix remaining issues HOT 2
- CT flaky submission failures
- failed to verify ECDSA signature and GetProofByHash HOT 2
- CTFE GLIBC Error HOT 4
- Dockerized Test Deployment Instruction Suggestions HOT 1
- [removed]
- Race condition on creating a full chain for a certificate
- The "cert / precert mismatch" error when submit an pre-cert HOT 3
- Is EKU filtering stable enough to be used by a production log? HOT 1
- Would it be possible to create a release container for trillian/ctfe/ct_server HOT 1
- Allow lax parsing of keyUsage bit string
- Loglists are offline - v3 urls needed HOT 5
- client/ctclient: Doubled https:// when using --log_name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certificate-transparency-go.