Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
I'm curious about the possibility of removing the log url. On one hand, it would be optimal because that saves some bytes in http headers that get sent along with every http response. On the other, there's the usability downside that it reduces discoverability of the log itself, meaning that it has to be advertised somewhere else if somebody want to add a monitor?
Depending on the details of your use case, a third-party monitor likely needs additional information, to enable it to verify the implied claims.
When sending policy (and submitter pubkeys?) in the http response, a client needs to know, at least, that some appropriate monitor is aware of the listed logs, submitter pubkeys, and the selection of witnesses. So there some need for authentication or bootstrap of trust.
Regards, /Niels