trusted server lists

[thedavidmeister]

originally posted here:

cloudflare/roughtime#17 (comment)

i want to be able to audit a chain of times produced by someone else

the docs say that clients need to dynamically pull lists of servers and to never hardcode trust or expect any particular server to exist

so how do i know that someone else's chain of times wasn't simply generated by themselves to point at a list of servers they control?

is there some way that i can ask them to provide a signed whitelist of servers, so that i can at least choose to trust the whitelist itself? that way, even if the whitelist is dynamic and arbitrary i can verify the source

i had a look here - https://github.com/cloudflare/roughtime/blob/master/ecosystem.json - and i only see keys of servers, i don't see any signature for the json itself