[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]

Henning Rogge (spam-protected)
Fri Jan 30 10:56:21 CET 2009


as we are talking about security, I would like to share some ideas about a 
useful and acceptable PKI architecture for Freifunk/Funkfeuer networks.

Theoretically we could just set up a central PKI (which would make things very 
easy), but this would allow the owner/maintainer of the PKI to control the 
whole network. This is not acceptable for a community project like Freifunk 
and Funkfeuer.

My idea is that each gateway to the internet set up it's own PKI root key. The 
owners of the gateways can build something like a web of trust between each 

Each user who is starting a new node has to download/choose a gateway as his 
primary uplink and will a "chain of trust" for the rest of the gateways.

This way there is no "master PKI" and no special position for the first 
gateway of the network. If a network starts misbehaving, the other gateways 
can cancel their trust and ask the user not to choose this gateway as the 
originator for the chain of trust. But the ultimate responsibility who has the 
authority in the network is still in the hand of the user (by choosing his 
"master" gateway).

New users generate a local private/public key and have to transmit it to a 
gateway running a "register new node" service. This service does not need to 
run on all nodes.

What do you think about a structure like this ? Would this be an acceptable 
base we can use to build a security framework ?

Henning Rogge

Diplom Informatiker Henning Rogge
Forschungsgesellschaft für
Angewandte Naturwissenschaften e. V. (FGAN) 
Neuenahrer Str. 20, 53343 Wachtberg, Germany
Tel.: 0049 (0)228 9435-961
Fax: 0049 (0)228 9435-685
E-Mail: (spam-protected)
Web: www.fgan.de
Sitz der Gesellschaft: Bonn
Registergericht: Amtsgericht Bonn VR 2530
Vorstand: Dr. rer. nat. Ralf Dornhaus (Vors.), Prof. Dr. Joachim Ender 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090130/23b84bfa/attachment.sig>

More information about the Olsr-users mailing list