On Thu, Aug 17, 2000 at 06:30:23PM +1000, Zem wrote: > As someone pointed out on the freenet-tech list, if there is a way of > determining whether or not a node is transient, any requests which come > from that node must have been originated by the operator. > > For example: feds run a node and log the IP addresses of any nodes > requesting known "illegal" keys. grep for any that belong to obvious > dialup IP blocks at major ISPs. Since dialup freenet nodes must be > transient, those requests must have come from the user. Search warrant, > bust, repeat.
This is more or less correct, a transient node doesn't set the DataSource field, so one can see that a transient node has connected. Running a transient node is more about performance (keeping your own routing table) then adding any real security above just using a plain client. <> > > You must have an Address->Key link so that you can say "I expect Address > > to have this key", at which point you can verify something. I still don't agree with Scott here. The only reason to have the Public Key fingerprint is so that the node can check that it is actually talking to the node that it got from the DataSource. I don't think allowing nodes to look up new addresses from the fingerprint should connecting to the old address fail is a security whole, you still know it's the same node - but it has to be considered something that the node does rarely and on "maintence time" (we will never support nodes on dialup lines changing ip-s every hour like this). I'm actually warming up the idea of making the address: physical address + fingerprint + number and having the node lookup: ARK(fingerprint , (number + 1)) should the connect fail (ARK is Address Resolution Key). > Any use of public keys implies a web of trust, no? No, there is no real web of trust here. Or a loose one at most. Nodes learn about new nodes by reading the DataSource: field in data carrying messages, and then connect to it. There is no way of verifying that the address in the DataSource is the "correct" in any sense of the word - it could very well be pointing at a malicious node. However, with the current system, you can jump on a node and just MITM connections as you like. If we have the proposed PK fingerprint on the DataSource address, then you have to try to infiltrate the nodes that the node is talking to in order to place false DataSource: addresses in the messages. > So node Alice has been speaking to node Bob for a long time, and has > added Bob to the list of "trusted hosts" (or whatever). > > One day Bob shows up with the same key but a different IP address. > > Alice should be able to conclude that this is the same Bob, and should > therefore be accorded the same trust rating (whatever that is). > > Why should any of this be tied to the physical IP address? Except for the part about "trusted hosts" (we trust nobody) I agree. > > > -- > zem at zip.com.au F289 2BDB 1DA0 F4C4 DC87 EC36 B2E3 4E75 C853 FD93 > zem.squidly.org "..I'm invisible, I'm invisible, I'm invisible.." > > _______________________________________________ > Freenet-dev mailing list > Freenet-dev at lists.sourceforge.net > http://lists.sourceforge.net/mailman/listinfo/freenet-dev > -- \oskar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20000817/a28bc09c/attachment.pgp>
