These sound like good improvements but I still don't really get why the ct log server is responsible for storage at all (as a 3rd party entity)..
Couldn't it just be responsible for its own key and signing incremental advances to a log that all publishers are responsible for storing up to their latest submission to it?
If it needed to restart and some last publisher couldn't give it its latest entries, well they would deserve that rollback to the last publish from a good publisher..
The publishers can't entirely do the storage themselves since the whole point of CT is that they can't retract anything. If they did their own storage, they could rollback any change. Even if the log forms a verification chain, they could do a rollback shortly after issuing a certificate without arousing too much suspicion.
Maybe there is an acceptable way to shift long-term storage to CAs while using CT verifiers only for short term storage? E.g. they keep track of their last 30 days of signatures for a CA, which can then get cross-verified by other verifiers in that timeframe.
The storage requirements don't seem that bad though and it might not be worth any reduced redundancy and increased complexity for a different storage scheme. E.g. what keeps me from doing this is the >1Gbps and >1 pager requirements.
> Even if the log forms a verification chain, they could do a rollback shortly after issuing a certificate without arousing too much suspicion.
This is not true. A rollback is instantly noticeable (because the consistency of Signed True Heads can not be demonstrated) and is a very large failure of the log. What could happen is that a log issues a Signed Certificate Timestamp that can be used to show browsers that the cert is in the log, but never incorporating said cert in the log. This is less obvious, but doing this maliciously isn't really going to achieve much because all certs have to be logged in at least 2 logs to be accepted by browsers.
> Maybe there is an acceptable way to shift long-term storage to CAs while using CT verifiers only for short term storage? E.g. they keep track of their last 30 days of signatures for a CA, which can then get cross-verified by other verifiers in that timeframe.
An important source of stress in the PKI community is that there are many CAs, and a significant portion of them don't really want the system to be secure. (Their processes are of course perfect, so all this certificate logging is just them being pestered). Browser operators (and other cert users) do want the system to be secure.
An important design goal for CT was that it would require very little extra effort from CAs (and this drove many compromises). Google and other members of the CA/Browser would rather spend their goodwill on things that make the system more secure (ie shorter certificate lifetimes) than on getting CAs to pay for operating costs of CT logs. The cost for google to host a CT log is very little.
If CAs have to share CTs and have to save everything the CT would save to their last submission then no CA can destroy the log without colluding with other CAs.
(I.e. your log ends abruptly but polling any other CA that published to the same CT shows there is more including reasons to shut you down.)
I don't see how a scheme where the CT signer has this responsibility makes any sense. If they stop operating because they are sick of it, all the CAs involved have a somewhat suspicious looking CT history on things already issued that has to be explained instead of having always had the responsibility to provide the history up to anything they have signed whether or not some CT goes away.
The point of CT logging is to ensure a person can ask "What certificates were issued for example.com?" or "What certificates were issued by Example CA?" and get an answer that's correct - even if the website or CA fucked up or got hacked and certificates are in the hands of people who've tried to cover their tracks.
This requires the logs be held by independent parties, and retained forever.
If 12 CAs send to the same log and all have to save up to their latest entry not to be declared incompetent to be CAs, how would all 12 possibly do a worse job of providing that log on demand than a random 3rd party who has no particular investment at risk?
(Every other CA in a log is a 3rd party with respect to any other, but they are one who can actually be told to keep something indefinitely because they would also need to return it for legitimizing their own issuance.)
As far as I know, CAs don't have to "save up to their latest entry"
The info they get back from the CT log may be a Merkle Hash that partly depends on the other entries in the log - but they don't have to store the entire log, just a short checksum.
Right and this is what I am saying is backwards with the protocol. It is not in anyone's best interest that some random 3rd party takes responsibility to preserve data for CAs indefinitely to prove things. The CA should identify where it has its copy in the extension and looking at one CAs copy one would find every other CAs copy of the same CT log.
Huh? I don't think the SEC would (just) apologize for letting you get away with manipulation of a significant portion of the US index funds just because they should have noticed you sooner.
They tried this before with fruit. The US companies just sold their interest in production and have plenty of other options for acquisition if they try to tax beyond the relative ease of South America verse anywhere else in the global south.
I would agree that letting black market bs continue will eventually lead to groups that could threaten global control on random other commodities but that's no reason kick the can further down this road.
I don't see why bird ownership wasn't similar to cat.. Would mammal be important or would there be a hidden variable in being able to house a dog or cat as one sometimes needs less permissions for smaller animals in rental agreements, etc..
That they didn’t break down the bird owners between parrots and canaries/finches was a major oversight - while some canary/finch owners do let their birds out and handle them, parrots (even budgies) tend to interact far more with human keepers than finches and canaries do.
Some parrots are out of their cage all the time and interact quite well with the family, like potty-trained 3-d dogs.
It is harder to take them outside for a walk though (although there are bird leashes). This sort of limits the outdoor social interaction that dogs confer.
and yes, some smaller birds are treated more like fish that a member of the family.
The difference may lie in how as mammals, living with a dog or especially a cat is more similar to living with another person. Intelligent birds require a lot of interaction which is good for reducing mental decline, but the relationship is different — most birds spend a substantial amount of time in a cage and generally need to be controlled more, whereas cats and dogs usually freely roam about the house with a few areas that are off-limits.
With dog you have to walk outside even if you have a garden, a dog needs a daily walk a bit further around.
Cat doesn’t need a walk, well it requires play time but I would say walking around the block should do more for person health than playing around with cat in-house.
Well, there’s a physical aspect and socio-mental aspect. A dog probably would be better for the former, but cats aren’t as straightforward as dogs to please or understand and require increased ability to put onself in another’s shoes and view things from their standpoint. Cats are a lot like little furry people in terms of socialization.
I ask because people are often surprised at how social cats are. Sure, some are extroverts and just love everyone like any golden retriever would. But most cats will want to be in the same room if you even if they aren't cuddly (all the time). They greet you at the door and like to play with you. They're just introverted and need time to warm up
Sure, but have you ever seen a pet parrot with the person it bonded to?
I've had cats that were affectionate and cats that came to the house only for food.
The overall problem with this study is that it does nothing to try to categorize the relationship to the pets or eliminate the correlation problems like almost no one has an outdoor cat in an urban environment or any cat in an urban studio apartment.
I'm not arguing that the bird category shouldn't have been broken down but that wasn't what your comment was about. It was about general bird ownership.
I agree, a parrot is not an average bird and I'd wager would be beneficial in similar ways
But I disagree, a cat is not like an average bird.
These are two wildly different conversations. Not to mention that people frequently believe cats aren't social. So I'm not sure how you would expect me to interpret your comment as "parrot, not average bird"
Our 15 year old part Maine Coon that passed away last year was a massive extrovert. He would sit on our front porch waiting for strangers to walk by just so he could run out and flop down on the sidewalk for belly pets. I used to tell him he was going to get kicked out of the Cat Union for doing it.
One of our cats fit that description to an exaggerated amount. She didn’t like cuddling or pets, but she’d follow us around the house and just curl up next to us.
I wonder if it's really just a function of how much work is involved in taking care of pets. I have had pet turtles and cats for years. Cats easily require 10x the amount of work to keep them happy and healthy.
Yes, though 70% is a normal cut-off, I think most versions more heavily bias the placement towards 1/2 in the past square instead of the 1/9th of real chance. Without the bias it is simpler to always guess no.
It seems to me like the goal is to work around the user having to type that to use Bcachefs while implying that they will have with the standard gatekeepers to avoid any limits on adoption via quality checks.
It doesn't work at all, Potter Stewart wasn't stupid or uninformed about what a secular republic is, so he was acting in bad faith to push for personal discretion definitions that will mostly be performed by people in the majority faith.
If the goal is to hoard a currency itself instead of use it as the exchange between real investments then this makes perfect sense, but those people shouldn't be upset when we tell them we don't directly accept their "currency".
This sentiment models a correction to a complaint I first heard with people who tell us everything fell apart since we ended the gold standard. They ignore that we raised all boats rapidly when we didn't pin everything to governments ability to fight gold hoarders for small amounts of gold entering the market. Even gold hoarders are better off in terms of what the market has created to exchange for their gold because that exchange ceased to be limiting on market expansion.
One could say the US economy was exponential both before and after the currency change, but as with Moore's Law, it gets harder to remain exponential if as few as one limiting factor is emerging.
Couldn't it just be responsible for its own key and signing incremental advances to a log that all publishers are responsible for storing up to their latest submission to it?
If it needed to restart and some last publisher couldn't give it its latest entries, well they would deserve that rollback to the last publish from a good publisher..