Following up from transparency-dev/tessera#1018
I think it's fragile how tesseract overwrites just the timestamp, but otherwise keeps the entry that was constructed from the submission. It means that inputs to the critical SCT signing operation come from multiple places, and consequentially might not be coherent. Instead, tesseract should retrieve the entire entry from storage, not just the timestamp, and completely discard the entry constructed from the submission. That way, a malfunction in the antispam driver can only cause the wrong SCT to be returned; it can't kill the log by returning an invalid SCT.
Following up from transparency-dev/tessera#1018
I think it's fragile how tesseract overwrites just the timestamp, but otherwise keeps the entry that was constructed from the submission. It means that inputs to the critical SCT signing operation come from multiple places, and consequentially might not be coherent. Instead, tesseract should retrieve the entire entry from storage, not just the timestamp, and completely discard the entry constructed from the submission. That way, a malfunction in the antispam driver can only cause the wrong SCT to be returned; it can't kill the log by returning an invalid SCT.