Re: [freenet-support] Getting rid of the last central point of failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Since freenet is open source, I would imagine that there are people who independently verify the validity of all builds by looking at the source and the diffs. I think that this is probably the only way to guarantee the validity of a build, and even with that it might not be 100%. I think that gpg signing the builds would give us probably 90% confidence that the builds are good. The other 10% would be from these people looking at the source and reporting (like to slashdot) if there is a compromised build (where they see what appears to be malignant code and nobody official can sufficiently justify its presence). This is what most other security-related projects do (e.x. gpg, iip, etc.) AFAIK. :GeckoX -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE92P3wSMrcfZpjDKERAoR6AKCS+3XmmzbDjFttVPWE0ltoB17wYQCgkBW+ 5wMLp5FaaS+ocakzOO6aD9A= =RufJ -END PGP SIGNATURE- ___ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
[freenet-support] Re: [freenet-dev] Getting rid of the last central point of failure
Oh yes it's all so simple we sign the webinstaller in fact we don't even need to do that we just insert it under an SSK. /sarcasm. The problem is that we need to be able to revoke and/or update the signing key, otherwise a Bad Guy who got the key could destroy most of the network just by distributing compromized nodes. You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP). -- Michael T. Babcock CTO, FibreSpeed Ltd. ___ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
Re: [freenet-support] Re: [freenet-dev] Getting rid of the last central point of failure
-BEGIN PGP SIGNED MESSAGE- On Mon, 18 Nov 2002 06:53:51 -0800 Michael T. Babcock [EMAIL PROTECTED] wrote: Oh yes it's all so simple we sign the webinstaller in fact we don't even need to do that we just insert it under an SSK. /sarcasm. The problem is that we need to be able to revoke and/or update the signing key, otherwise a Bad Guy who got the key could destroy most of the network just by distributing compromized nodes. You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP). Yes thats excellent from a corporate perspective since the more areas you leave for the l'users your customers to fuckup the less liability you have. However in an open for the most part volunteer project such liability and profit concerns do not arise so for that reason the developers can afford to design systems to protect the l'user from their own incompetence and are necessary if one cares to attempt to offer security and anonymity rather than create opportunities to destroy it. I don't believe our system works, you fucked up is an appropriate goal in the circumstances. -BEGIN PGP SIGNATURE- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlcEARECABcFAj3ZGgwQHGthYm9vbUBodXNoLmNvbQAKCRB5zuO1YwPwCafmAJ0VR2EA Q3GynwO7lJWiDv7rs3JtVQCglgBMYXMvwzk4HGmT9V18k9ik+c8= =pxSH -END PGP SIGNATURE- Get your free encrypted email at https://www.hushmail.com ___ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
[freenet-support] Prob with IBM SDK and authentication
-BEGIN PGP SIGNED MESSAGE- Just thot i'd mention it but i can no longer get freenet to run properly with IBM's JVM 1.3 omething ithink it is in winxp. I get Javo io errors on all connections which i ran into before with an Excelsior JEt compile,, same thing,,, IBM's is slightly faster than Sun's but not enough to fight with it, so not that i care but i'm passing it along. thus Nov 18, 2002 8:21:10 AM (freenet.session.FnpLink, FThread-8): I/O error during outbound auth: java.io.EOFException Nov 18, 2002 8:21:11 AM (freenet.OpenConnectionManager, FThread-3): Established connection: tcpconnection: 209.204.139.104:2479 Nov 18, 2002 8:21:12 AM (freenet.session.FnpLink, FThread-17): I/O error during inbound auth: java.io.EOFException Nov 18, 2002 8:21:12 AM (freenet.interfaces.FreenetConnectionRunner, FThread-17): Inbound connection failed: freenet.ConnectFailedException: Against peer (null) @ 80.14.118.105:33069 - I/O error during inbound auth: java.io.EOFException (terminal) Nov 18, 2002 8:21:12 AM (freenet.OpenConnectionManager, FThread-17): Established connection: tcpconnection: 69.3.9.106:5089 Nov 18, 2002 8:21:18 AM (freenet.OpenConnectionManager, FThread-18): Established connection: tcpconnection: 66.28.14.56:7435 Nov 18, 2002 8:21:20 AM (freenet.OpenConnectionManager, FThread-8): Established connection: tcpconnection: 68.11.70.164:24543 Nov 18, 2002 8:21:22 AM (freenet.session.FnpLink, FThread-15): I/O error during outbound auth: java.io.EOFException and that was on everything even if 0 ms routing time is fantastic o the delete key thing i was trying to remeber was the delete local key thing, duhh -BEGIN PGP SIGNATURE- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlcEARECABcFAj3ZHkEQHGthYm9vbUBodXNoLmNvbQAKCRB5zuO1YwPwCb7EAJ0SxEXz beVHB2hZlpO/aRYXB0LRFwCfXQCZevVX91leMEnq51YLevaNV+M= =2vcT -END PGP SIGNATURE- Get your free encrypted email at https://www.hushmail.com ___ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support