[Olsr-users] PKI architecture for freifunk/funkfeier
Henning Rogge
(spam-protected)
Sun Feb 8 10:53:54 CET 2009
On Mittwoch 04 Februar 2009 00:41:13 Juliusz Chroboczek wrote:
> > Theoretically we could just set up a central PKI (which would make things
> > very easy), but this would allow the owner/maintainer of the PKI to
> > control the whole network. This is not acceptable for a community project
> > like Freifunk and Funkfeuer.
>
> Yep. Additionally, as others have mentioned, you don't want to perform
> asymmetric crypto on every routing packet.
Okay...
> > My idea is that each gateway to the internet set up it's own PKI root
> > key. The owners of the gateways can build something like a web of trust
> > between each other.
>
> A simpler solution would be for each node to have a list of trusted keys
> (stored as a file somewhere in the filesystem). Your node would
> periodically (say, once every night) download a PGP-signed list of trusted
> keys.
Yes, that should be always the first step. The user of a node has to choose a
"source" where he get's his master key(s). Or multiple sources...
> Friendly people could then provide lists of public keys of trusted
> gateways. For example, I could program my node to download the list
> provided by Henning and the list provided by Aaron, merge the two, then
> remove key 77FF5F3B, which happens to belong to somebody I don't trust.
Yes, that would be a nice way to do it...
the routing agent stores a number of sources for trusted keys (most likely in
form of signed certificates, so you can cache and redistribute them) and
updates them once every 24 hours. In a meshnet it might be even better to push
them from the servers to the network once every 24 hours with a netwide
broadcast, but that's just an optimization.
> The main advantage is that all of the complex policy issues are cleanly
> encapsulated in the downloading process -- the routing daemon only checks
> the packets against a list of keys.
The question is HOW to check them... if you just use a cryptographic hash and
a symmetric encryption function, anyone who has to check the package needs the
symmetric key, so he can forge packages.
> The main flaw is that it means that
> a new gateway cannot fully join the network in less than 24 hours.
Maybe it's a good thing to "generalize" the idea of "multiple PKI roots" away
from the gateways. A Freifunk/Funkfeuer/Community-Mesh network might just
choose to have "n" PKI servers which are maintained by different trusted
people. The sum of this servers should be used to handle authentification in
the network, so you have both some redundancy (one/two keyservers down) and
security against a mean admin.
Henning
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090208/76ed5a5d/attachment.sig>
More information about the Olsr-users
mailing list