[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]
Henning Rogge
(spam-protected)
Fri Jan 30 13:02:21 CET 2009
Am Friday 30 January 2009 12:02:23 schrieb Bernd Petrovitsch:
> On Fri, 2009-01-30 at 11:42 +0100, Henning Rogge wrote:
> > Am Friday 30 January 2009 11:30:46 schrieb Bernd Petrovitsch:
> > > On Fri, 2009-01-30 at 10:56 +0100, Henning Rogge wrote:
> > > [...]
> > >
> > > > as we are talking about security, I would like to share some ideas
> > > > about a useful and acceptable PKI architecture for Freifunk/Funkfeuer
> > > > networks.
> > > >
> > > > Theoretically we could just set up a central PKI (which would make
> > > > things very easy), but this would allow the owner/maintainer of the
> > > > PKI to control the whole network. This is not acceptable for a
> > > > community project like Freifunk and Funkfeuer.
> > > >
> > > > My idea is that each gateway to the internet set up it's own PKI root
> > > > key. The owners of the gateways can build something like a web of
> > > > trust between each other.
> > >
> > > So when a "network" administratively forces a limited set of gateways,
> > > you have exactly the situation you wanted above to avoid.
> >
> > No, you can just open your own gateway and begin your own PKI root... and
> > ask
>
> Assume a network using public IPs: I don't think that a random ISP
> customer (as seen from the ISP) has success in getting the ISP to speak
> BGPv4 with him.
If you want use public IP space you will have some kind of layer-8 policy
which kind of new gateways you will sign.
But I'm not sure what you try to say with your posts Bernd.
First you complain (at least that's how I understand your post) about the
possibility of control through a network with few gateways, then you argue
that you cannot built new gateways easily in a network with public IP space.
If you have a situation like this, the possibility of using public IP space is
some kind of service. If only a few gateways can provide this service, these
gateways can always control what network traffic goes through the gateway
(they don't need to control it, but they can). Other users could start to add
NAT gateways, but these would loose the option for public ips.
Because (most likely) the public-ip gateway group would not sign the key of a
gateway that does not create a proper tunnel, you will get some kind of
partition in PKI space. And the user will have to decide if they use only one
of the gateway groups or both of them.
Henning
*************************************************
Diplom Informatiker Henning Rogge
Forschungsgesellschaft für
Angewandte Naturwissenschaften e. V. (FGAN)
Neuenahrer Str. 20, 53343 Wachtberg, Germany
Tel.: 0049 (0)228 9435-961
Fax: 0049 (0)228 9435-685
E-Mail: (spam-protected)
Web: www.fgan.de
************************************************
Sitz der Gesellschaft: Bonn
Registergericht: Amtsgericht Bonn VR 2530
Vorstand: Dr. rer. nat. Ralf Dornhaus (Vors.), Prof. Dr. Joachim Ender
(Stellv.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090130/30e441c7/attachment.sig>
More information about the Olsr-users
mailing list