Ray Dillinger wrote: > On Sun, 2010-12-19 at 02:08 +0100, Loic Dachary wrote: > >>> . >>> >>> Most notably, if the certifying authority were to lose its legitimacy, side >>> rings could >>> emerge and take over on higher ethical grounds and with data loss on the >>> users' side. >>> >>> >> From your messages and Stéphane Bortzmeyer remarks, it looks like a PGP >> web of trust would be an acceptable balance. From a political / social >> point of view, it would promote the emergence of multiple authorities >> instead of a single authority. For instance when a node tries to join a >> DHT by contacting a known node, it would also accept to only trust nodes >> that are connected to this node thru the PGP web of trust. From a >> technical point of view it would limit the nodes of the ring to those >> accepting the same rule. >> > > IMO the PGP web of trust is a failed idea. Trust is not and never was > transitive. Treating it as such so magnifies the effect of a single > bad actor or security breach as to render the system useless. > > I think I see what you mean. If the ring can be compromised by any node and that entering the DHT ring only requires to be accepted by a node that already is in the PGP trust ring, the more nodes there are the more vulnerable the DHT ring becomes.
Note, however, that I do not claim that it is a silver bullet. Merely that it lies between a completely open DHT ring and a completely closed DHT ring where access is controlled by a central authority. It is good enough to ensure Debian packages security. Would it be good enough for a limited group of seeks nodes ? Cheers
<<attachment: loic.vcf>>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
