The Proton Key Transparency Auditing Server (KtAuditor) is a monitoring tool designed to examine certificate transparency (CT) logs for key transparency (KT) epoch certificates and verify the key transparency epoch merkle trees. The KtAuditor ensures that these certificates adhere to the observed key transparency state and validates the kt state trees for each epoch.

KtAuditor currently supports the following backends for polling KT certificates from the CT Logs:

• crt.sh
• certspotter

1. (Optional) Specify the CT logs to monitor by creating a logs.json file in the scripts folder (Refer to template).

2. (Optional) Configure an email server for notifying KT errors via mail by creating an email-config.json file in the scripts folder (Refer to template).

3. Build and run the Docker container. Ensure that the container has sufficient memory resources, as inadequate memory may result in tree verification failures.

   docker build -t ktauditor:1 .
   docker run -d --shm-size=16gb --memory=16gb -e KTAUDITOR_MAIL_TO="tosend@mail.mail" ktauditor:1

1. Install certspotter and the KT monitor command.

   scripts/install.sh

2. (Optional) Specify the CT logs to monitor by creating a logs.json file in the scripts folder (Refer to template).

3. (Optional) Configure an email server for notifying KT errors via mail by creating an email-config.json file in the scripts folder (Refer to template).

4. Run the certspotter command.

   scripts/run-certspotter.sh

5. Run the KtAuditor command and optionally set an email to send notifications.

   scripts/run-ktauditor-certspotter.sh "tosend@mail.mail"

1. Install the KT monitor command.

   scripts/install.sh

2. (Optional) Configure an email server to notify KT errors via mail by creating an email-config.json file in the scripts folder (Refer to template).

3. Run the KtAuditor command, define the starting epoch for monitoring (if no state), and optionally set an email for notifications.

   scripts/run-ktauditor-crtsh.sh <start_epoch> "tosend@mail.mail"

The verification of the key transparency Merkle tree currently operates entirely in memory, necessitating a substantial amount of memory for successful validation.