Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
It's just exploratory, but I'm a bit confused by the multi-log model. For instance, you'd expect the signers to send to two logs and then provide back two proofs bundles, or you'd expect a log with a policy with multiple logs, to propagate to the second log?
The intention of having multiple logs in the policy is that they are all acceptable, we expect each logged item to be in one of the listed logs, but we don't care which one. (So it is crucial that all listed logs are subject to appropriate monitoring).
Having multiple logs is not to increase security, but to increase reliability. You want to be able to make a new logged update and push it out to users, even if one log server is temporarily down.
At the other end, if you look at the sigsum-submit tool. When you give it a policy with multiple logs, it will just randomly select one of them for submission, and if you provide many items to submit, they will be distributed between the listed logs.
About the json serialization: Looks reasonable to me at a first look (except the per-log quorum). If it is intended to be machine generated, maybe you can omit the "all"/"any" keywords, and require numerical thresholds. If it intended for verifier only (not monitors or submitters), you could also omit the log urls, they aren't needed.
Regards, /Niels