[Olsr-users] PKI architecture for freifunk/funkfeier

Juliusz Chroboczek (spam-protected)
Wed Feb 4 00:41:13 CET 2009


> Theoretically we could just set up a central PKI (which would make things
> very easy), but this would allow the owner/maintainer of the PKI to
> control the whole network. This is not acceptable for a community project
> like Freifunk and Funkfeuer.

Yep.  Additionally, as others have mentioned, you don't want to perform
asymmetric crypto on every routing packet.

> My idea is that each gateway to the internet set up it's own PKI root
> key. The owners of the gateways can build something like a web of trust
> between each other.

A simpler solution would be for each node to have a list of trusted keys
(stored as a file somewhere in the filesystem).  Your node would
periodically (say, once every night) download a PGP-signed list of trusted
keys.

Friendly people could then provide lists of public keys of trusted
gateways.  For example, I could program my node to download the list
provided by Henning and the list provided by Aaron, merge the two, then
remove key 77FF5F3B, which happens to belong to somebody I don't trust.

The main advantage is that all of the complex policy issues are cleanly
encapsulated in the downloading process -- the routing daemon only checks
the packets against a list of keys.  The main flaw is that it means that
a new gateway cannot fully join the network in less than 24 hours.

I'm sure there are hashing schemes that are cheap enough for your average
200MHz MIPS chip.

                                        Juliusz




More information about the Olsr-users mailing list