possible to get signed server lists?

[thedavidmeister]

i want to be able to audit a chain of times produced by someone else

the docs say that clients need to dynamically pull lists of servers and to never hardcode trust or expect any particular server to exist

so how do i know that someone else's chain of times wasn't simply generated by themselves to point at a list of servers they control?

is there some way that i can ask them to provide a signed whitelist of servers, so that i can at least choose to trust the whitelist itself? that way, even if the whitelist is dynamic and arbitrary i can verify the source

i had a look here - https://github.com/cloudflare/roughtime/blob/master/ecosystem.json - and i only see keys of servers, i don't see any signature for the json itself

[thedavidmeister]

maybe i could ask the author to provide a git commit hash alongside the time chain, and i lookup the ecosystem json from github myself?

something like https://raw.githubusercontent.com/cloudflare/roughtime/a69ef1dab727dd9b5ef88229188d4e8759fb4c28/ecosystem.json if they give me a69ef1dab727dd9b5ef88229188d4e8759fb4c28...

is that the best way to solve this atm?

[cjpatton]

Google-Roughtime and IETF-Roughtime both leave this problem out-of-scope. If you want to request this feature for the IETF draft, I'd suggest following raising this on the draft itself: https://github.com/aanchal4/draft-roughtime