-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----- Original Message ----- From: "Josh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 14, 2001 4:41 AM Subject: RE: [freenet-tech] RE: [freenet-chat] RE: I've designed a global file system,... > Good points! > > The system will operate fine when the central authentication (not > security) is taken out, its just that at that point in time User X will > not be able to validate that file Y is authentic and really came from > domain Z, for the first time. It's design so that existing trusts, from > www.cnn.com to their ISP, for example, will continue to operate. So the > ISP and CNN will still be sure they have authentic files, but a new > party, lets say another ISP, who wishs to get the cnn files from the > first ISP, will not be able to validate that they are authentic files, > while the central authentication system is down. How about using a web of trust (like PGP does)? Everyone could create keys and trust whoever they want, but sites could gain trust automatically by caching content and not corrupting it. The original site (www.cnn.com in this case) could sign everything it posts. Clients could then download the stuff www.cnn.com posted from any site that cached the content. The client then automatically retrieves the signatures for the content and compares them with the files it got. If the signature is good, the site the content was downloaded from gains a certain amount of trust. If the signature doesn't match, the site loses a great deal of trust. After a site gains a certain amount of trust (which can be set by the user), the client automatically signs the site's public key, knowing that it is a "honorable" site. Like in PGP, users can choose to trust other users' signatures, so sites could immediately gain the "honorable" status, if they have served good (unchanged) content to friends of an user. This system has its flaws, though. The most obvious one is that aan attacker could generate a bogus (but trustworthy-sounding) key and post fake information with it. If an user has not previously visited the real site and does not know anyone who has, the user could still be fooled to get the fake content. - -- Mika Hirvonen <[EMAIL PROTECTED]> http://www.saunalahti.fi/hirvox/ PGP key @ http://www.saunalahti.fi/hirvox/stormshadow.asc -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBOv8+xaSfrEHp33TBEQIMWgCeOqN/pa6xk41wwIJsn0tnjs0PpagAnA6l dIaap/qeF4M2tiE0AXO4wa0M =pO28 -----END PGP SIGNATURE----- _______________________________________________ freenet-tech mailing list [EMAIL PROTECTED] http://lists.freenetproject.org/mailman/listinfo/tech
