...

Text file src/github.com/google/certificate-transparency-go/internal/witness/README.md

Documentation: github.com/google/certificate-transparency-go/internal/witness

     1CT Witness
     2==============
     3
     4The witness is an HTTP service that stores STHs it has seen from
     5a configurable list of Certificate Transparency logs in a sqlite database.  This 
     6is a lightweight way to help detect or even prevent split-view attacks.  An 
     7overview of witnessing can be found in 
     8[trillian-examples](https://github.com/google/trillian-examples/tree/master/witness), 
     9along with "generic" witness implementations.  This witness is designed to be 
    10compatible with the specific formats used by CT.
    11
    12Once up and running, the witness provides three API endpoints (as defined in
    13[api/http.go](api/http.go)):
    14- `/ctwitness/v0/logs` returns a list of all logs for which the witness is
    15  currently storing an STH.
    16- `/ctwitness/v0/logs/<logid>/update` acts to update the STH stored for `logid`.
    17- `/ctwitness/v0/logs/<logid>/sth` returns the latest STH for `logid`.
    18
    19Running the witness
    20--------------------
    21
    22Running the witness is as simple as running `go run ./cmd/witness/main.go` from
    23this directory, with the following flags:
    24- `listen`, which specifies the address and port to listen on.
    25- `db_file`, which specifies the desired location of the sqlite database.  The
    26  use of sqlite limits the scalability and reliability of the witness (because
    27  this is a local file), so if that is required a different database backend
    28  would be needed.
    29- `config_file`, which specifies configuration information for the logs.  This
    30  repository contains a [sample configuration file](cmd/witness/example.conf), 
    31  and in general it is necessary to specify the following fields for each log:
    32    - `logID`, which is the alphanumeric identifier for the log.
    33    - `pubKey`, which is the base64-encoded public key of the log.
    34  Both of these fields should be populated using an "official" 
    35  [CT log list](https://www.gstatic.com/ct/log_list/v3/log_list.json).
    36- `private_key`, which specifies the private signing key of the witness.  In its
    37  current state the witness does not sign STHs so this can exist in any form.

View as plain text