aboutsummaryrefslogtreecommitdiff
path: root/archive/2021-10-05--meeting-minutes
blob: f5c369b0e3793cff3606bccd3a07dd95b0584f4c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Date: 2021-10-05, 1300 CEST
Meet: https://meet.sigsum.org/sigsum
Chair: rgdd

Agenda
	* Hello
	* Status round
	* Discuss
	* Next steps

Hello
	* rgdd
	* ln5
	* rohonk

Status round
	* [rgdd] pads that were still active last week
		* https://git.sigsum.org/sigsum/tree/archive/2021-10-05-open-design-thoughts?id=5c02770b5bd7d43b9327623d3de9adeda2468e84
	* [rgdd, ln5] how should sigsum be captialized in text?
		* https://git.sigsum.org/sigsum/tree/archive/2021-10-05-sigsum-capitalization?id=5c02770b5bd7d43b9327623d3de9adeda2468e84
		* Decision: refer to the above description
	* [rgdd] added domain_hint enforcement (tag v0.3.0)
	* [ln5] git.sigsum.org is now go getable
		* Decision: s/golang/git, because we already have git
	* [rohonk] interactive session with rgdd to get started with sigsum work
		* Timeline for security proof? what type of proof? etc. (ongoing)

Discuss
	* Should we redirect HTTP -> HTTPS for onion access
		* Background: http -> https redirects for everything on the regular web
		* Background: but we also have onion services that can too be http or https
		* Should we redirect http to https when accessing an onion service?
		* Decision: no, not by default
			* We would need to aquire and maintain more onion certificates for this
			* Probably not worth the work, onion certificates does not add much value
			* This does not mean we must not have any onion certificate (www.sigsum.org)
	* We received some external feedback
		* A few minor comments
		* A major comment about design.md
			* Too much emphasis on what you can use transparent logs for in general
			* There is a risk that the reader will get stuck on that and claimant model
			* It would be better to keep it simple and go straight to our log design
		* Decision: avoid using the claimant model in design.md, emphasize concrete design
		* Decision: have a separate document about the claimant model for use-cases
	* Bump up log prototype to latest tag
		* Background: we need to decide on a shard interval
		* We discussed 1 year +- a month as a reasonable shard interval before
		* It would be good to do test runs with that in mind, but on scale 1/12
		* Decision: experimental log shards that have a life time of 4 weeks +- 1 week
	* What needs to be done before announcement?
		* Start running a sharded log
		* Refactor + review round of design.md
		* Address minor review comments
	* nusenu-draft about web-of-trust for Tor relays

Next steps
	* [rgdd] address review comments, push refactored design.md and ask for review
	* [ln5] deploy sigsum-log-go v0.3.0 with shard hint (~sep 23-nov 7)
	* [ln5] review revised design.md, after ok from rgdd 

Other useful links
	* [rgdd] funding for strengthen the security of critical open source projects
		* https://security.googleblog.com/2021/10/introducing-secure-open-source-pilot.html
	* [rgdd] nusenu about web of trust for Tor relays, transaprent logs very helpful here
		* https://gitlab.torproject.org/nusenu/torspec/-/blob/simple-wot-for-relay-operator-ids/proposals/ideas/xxx-simple-relay-operator-wot.md#a-simple-web-of-trust-for-tor-relay-operator-ids