On Thu, Jan 09, 2025 at 08:46:09AM +0100, Niels Möller wrote:
Rasmus Dahlberg rgdd@glasklarteknik.se writes:
I'd suggest using a majority policy (8/15 cosignatures). Such a policy for seasalp would look like this:
Implications of such a policy (if employed by both monitors and verifiers, and if we don't want to rely on additional checks on the monitor side) is that an attacker can publish split views without detection, if the attacker is able to compromise the log itself, and *one* of the listed witness devices. (Each view is shown to 7 of the honest witnesses, which will then cosign it. While the compromised device cosigns *both* views, and then each view will carry 8 valid cosignatures).
We're talking about the user's sigsum-verify policy, not how the monitor should behave when given the same policy (which is different).
-Rasmus
To be sensitive to an attack compromising log + a single device may sound bad, but it could make good sense under the theory that the easiest attack on the armored witnesses is via compromise of its software updates, and that kind of attack could just as easily compromise them all as only one device.
Bottomline: I agree such a policy is a reasonable starting point.
Regards, /Niels