From b8e467f8533b9c0c73679b3569eae7cd28d20d41 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Fri, 19 Mar 2021 11:57:29 +0100 Subject: added drafty README version 3 --- README.md | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9ac9d82..68533e6 100644 --- a/README.md +++ b/README.md @@ -88,13 +88,30 @@ checksums. As far as we can tell the log's leaf entry must at minimum indicate: analyzed by monitors. Additional metadata needs can be included in the data that the checksum covers, -and the data itself can be stored in a public unauthenticated archive. +and the data itself can be stored in a public unauthenticated archive. Log APIs +and data formats should also follow the principle of minimal common denominator. +We are still in the process of analyzing this further. -Log APIs and data formats should also follow the principle of minimal common -denominator. We are still in the process of analyzing this further. +### Spam and log poisoning +Trillian personalities usually have an _admission criteria_ that determines who +can include what in the log. Without an admission criteria, the log is subject +to both spam (large volumes of data) and poisoning (harmful data). -### Spam mitigations -Important factors: leaf is small, leaf is signed. +The advantage of a small leaf is that spamming the log to such an extend that it +becomes a significant storage and bandwidth burden becomes harder. It also +makes the log's policy easier, e.g., a max data limit is not necessary. + +Because every leaf is signed it is possible to apply rate limits per namespace. +As a toy example one could require that a namespace is registered before use, +and that the registration component enforces a single namespace per top-level +domain. To spam the log you would need an excessive number of domain names. + +A more subtle advantage of not logging the actual data is that it becomes more +difficult to poison the log with something harmful. Transparency logs are +really cryptographic, append-only, and tamper-evident data structures: nothing +can be removed or modified until the log shuts down. Therefore, as few bytes as +possible should be arbitrary in the log's leaf. A reasonable goal could be to +not take on a larger risk than Certificate Transparency. ## 1: -- cgit v1.2.3