aboutsummaryrefslogtreecommitdiff
path: root/archive/2021-06-21-witness-timestamp-verification
blob: 51a90bc67df6116d5f78a9156585dafbd8885ba0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
According to api.md witnesses must only cosign a tree head if it is not backdated or future-dated more than 12 hours.
	* https://github.com/system-transparency/stfe/blob/c8400f98809fbc245f040598e8471fd833e5c1a5/doc/api.md#merkle-tree-head

Discussion raised by ln5
	* Why +- 12 hours, and in particular why so much forward drift
	* Initial thoughts were:
		* Symmetry, easy to implement
		* The point is not that it should be a precicely verified timestamp. Time moves forward roughly for liveliness.
		* If we set this interval too short, say, 5m, then we would make it difficult to use a larger cosigning interval like an hour.  Witnesses would have to do all of their signing the first 5 minutes. So with 12 hours we basically tried to set it "sufficiently large".
		* Another related "threat" is that witnesses would stop signing because of a clock that is a little off. So by having a very flexible interval -> "reduced threat"

	* Highlights of discussion
		* Allowing large clock drift might not be helpful. It might not even be helpful to specify it is a strict implementation criteria. E.g., there is probably a distinction between "warning: time to look at your clock" and "error: we cannot sign this because timestamp is unfresh or someone's clock is wrong".
			* Comments on clock drift is probably better as a recommendation, best practise, implementation hint, or similar in an Appendix or witness README.
		* How unfresh timestamps should a witness sign?
			* Right now we tried the "sufficiently large" approach
			* Maybe it should be a configuration parameter, declared as log metadata.
			* Catch: are we really envisioning an ecosystem where someone is going to say "we really want to run the log with a large cosigned tree head freauency".
				* Probably not. Point is we want independent logs that behave the same.
			* From UX perspective: cosigned tree head frequency F should be "short"
				* After a leaf is merged in the tree, it takes [F,2F] time units before an inclusion proof can lead up to a cosigned tree head.
			* From other perspective: cosigned tree head frequency should not be too short
				* Witnesses need to poke the log more often to discover all tree heads
					* More work and overhead, both for the log and witnesses
				* Reliability of cosigning will be poor if witnesses miss signed tree heads

	* Conclusion (ln5, rgdd)
		* Set a fixed cosigned tree head frequency in api.md that all logs should use.
			* 5 minutes to start with
			* We can reconsider if it should be lower. It should probably not be higher.
			* We can reconsider if it should be a configuration parameter. But a different design is needed for "much lower latency", like Syte et al. approach.  The reason why we are not doing that is because of added complexities and costs.
		* Don't consider clock drift considerations as an integral part of api.md. It is something that we should talk about in "implementation hints" or similar.
		* A witness must not cosign a signed tree head that is older than the log's cosigned tree head frequency.  As stated above, it is always 5 minutes.