This commit is contained in:
Pim van Pelt
@@ -14,7 +14,7 @@ subsequently it issued hundreds of fraudulent SSL certificates, some of which we
|
|||||||
man-in-the-middle attacks on Iranian Gmail users. Not cool.
|
man-in-the-middle attacks on Iranian Gmail users. Not cool.
|
||||||
|
|
||||||
Google launched a project called **Certificate Transparency**, because it was becoming more common
|
Google launched a project called **Certificate Transparency**, because it was becoming more common
|
||||||
that the root of trust given to _Certification Authorities_ could no longer be unilateraly trusted.
|
that the root of trust given to _Certification Authorities_ could no longer be unilaterally trusted.
|
||||||
These attacks showed that the lack of transparency in the way CAs operated was a significant risk to
|
These attacks showed that the lack of transparency in the way CAs operated was a significant risk to
|
||||||
the Web Public Key Infrastructure. It led to the creation of this ambitious
|
the Web Public Key Infrastructure. It led to the creation of this ambitious
|
||||||
[[project](https://certificate.transparency.dev/)] to improve security online by bringing
|
[[project](https://certificate.transparency.dev/)] to improve security online by bringing
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ subsequently it issued hundreds of fraudulent SSL certificates, some of which we
|
|||||||
man-in-the-middle attacks on Iranian Gmail users. Not cool.
|
man-in-the-middle attacks on Iranian Gmail users. Not cool.
|
||||||
|
|
||||||
Google launched a project called **Certificate Transparency**, because it was becoming more common
|
Google launched a project called **Certificate Transparency**, because it was becoming more common
|
||||||
that the root of trust given to _Certification Authorities_ could no longer be unilateraly trusted.
|
that the root of trust given to _Certification Authorities_ could no longer be unilaterally trusted.
|
||||||
These attacks showed that the lack of transparency in the way CAs operated was a significant risk to
|
These attacks showed that the lack of transparency in the way CAs operated was a significant risk to
|
||||||
the Web Public Key Infrastructure. It led to the creation of this ambitious
|
the Web Public Key Infrastructure. It led to the creation of this ambitious
|
||||||
[[project](https://certificate.transparency.dev/)] to improve security online by bringing
|
[[project](https://certificate.transparency.dev/)] to improve security online by bringing
|
||||||
@@ -53,11 +53,11 @@ implementations, TesseraCT or Sunlight, he thinks would be a good fit. One thing
|
|||||||
with me: "The community needs _any_ static log operator, so if Google thinks TesseraCT is ready, by
|
with me: "The community needs _any_ static log operator, so if Google thinks TesseraCT is ready, by
|
||||||
all means use that. The diversity will do us good!".
|
all means use that. The diversity will do us good!".
|
||||||
|
|
||||||
To find out if one or the other is 'ready' is partly on the software, but importantly also an the
|
To find out if one or the other is 'ready' is partly on the software, but importantly also on the
|
||||||
operator. So I carefully take Sunlight out of its cardboard box, and put it onto the same Dell R630
|
operator. So I carefully take Sunlight out of its cardboard box, and put it onto the same Dell R630
|
||||||
that I used in my previous tests: two Xeon E5-2640 v4 CPUs for a total of 20 cores and 40 threads,
|
that I used in my previous tests: two Xeon E5-2640 v4 CPUs for a total of 20 cores and 40 threads,
|
||||||
and 512GB of DDR4 memory. They also sport a SAS controller. In one machine I place 6pcs 1.2TB SAS3
|
and 512GB of DDR4 memory. They also sport a SAS controller. In one machine I place 6 pcs 1.2TB SAS3
|
||||||
disks (HPE part number EG1200JEHMC), and in the second machine I place 6pcs of 1.92TB enterprise
|
drives (HPE part number EG1200JEHMC), and in the second machine I place 6pcs of 1.92TB enterprise
|
||||||
storage (Samsung part number P1633N19).
|
storage (Samsung part number P1633N19).
|
||||||
|
|
||||||
### Sunlight: setup
|
### Sunlight: setup
|
||||||
@@ -70,7 +70,7 @@ tools is easy enough, there are three main tools:
|
|||||||
1. ***skylight***: Which serves the read-path. `/checkpoint` and things like `/tile` and `/issuer`
|
1. ***skylight***: Which serves the read-path. `/checkpoint` and things like `/tile` and `/issuer`
|
||||||
are served here in a spec-compliant way.
|
are served here in a spec-compliant way.
|
||||||
|
|
||||||
The YAML configuration file is staight forward, and can define and handle multiple logs in one
|
The YAML configuration file is straightforward, and can define and handle multiple logs in one
|
||||||
instance, which sets it apart from TesseraCT which can only handle one log per instance. There's a
|
instance, which sets it apart from TesseraCT which can only handle one log per instance. There's a
|
||||||
`submissionprefix` which `sunlight` will use to accept writes, and a `monitoringprefix` which
|
`submissionprefix` which `sunlight` will use to accept writes, and a `monitoringprefix` which
|
||||||
`skylight` will use for reads.
|
`skylight` will use for reads.
|
||||||
|
|||||||
Reference in New Issue
Block a user