Interesting, we could explore different trust models, like pgp's web of
trust, perhaps even using the pgp public key servers. Or perhaps a
multi referral trust model: ask others we trust if they know and trust
the new party. In any case I'd like to avoid the CertificateAuthority
model.
Cheers,
Peter.
Simon IJskes - QCG wrote:
Some notes:
* the most basic trust bootstrap is generating a local priv/pub
keypair for your own identity, so without introducer.
* in this case, verification occurs outside the scope of river.
* in order to exchange unknown public keys with TLS, we need a key
collecting X509TrustManager, inserted into river via the
com.sun.jini.jeri.ssl.trustManagerFactoryAlgorithm property.
Comments? Additions?
Gr. Sim
