On 15/05/2025 16:19, Niels Möller via Sigsum-general wrote:
The intention of having multiple logs in the policy is that they are all acceptable, we expect each logged item to be in one of the listed logs, but we don't care which one. (So it is crucial that all listed logs are subject to appropriate monitoring).
Having multiple logs is not to increase security, but to increase reliability. You want to be able to make a new logged update and push it out to users, even if one log server is temporarily down.
At the other end, if you look at the sigsum-submit tool. When you give it a policy with multiple logs, it will just randomly select one of them for submission, and if you provide many items to submit, they will be distributed between the listed logs.
About the json serialization: Looks reasonable to me at a first look (except the per-log quorum). If it is intended to be machine generated, maybe you can omit the "all"/"any" keywords, and require numerical thresholds. If it intended for verifier only (not monitors or submitters), you could also omit the log urls, they aren't needed.
Thank you, all of this makes perfect sense. I'll keep the global quorum and make it so the JSON is fully compatible with the original format. More questions will come as I write the code :)
I'm curious about the possibility of removing the log url. On one hand, it would be optimal because that saves some bytes in http headers that get sent along with every http response. On the other, there's the usability downside that it reduces discoverability of the log itself, meaning that it has to be advertised somewhere else if somebody want to add a monitor?
Cheers Giulio