[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]

(spam-protected) (spam-protected)
Fri Jan 30 14:44:13 CET 2009

Hello. I join the brainstorming :)

On Fri, Jan 30, 2009 at 12:49 PM, Henning Rogge <(spam-protected)> wrote:
> Am Friday 30 January 2009 12:06:31 schrieb ZioPRoTo (Saverio Proto):
>> > My idea is that each gateway to the internet set up it's own PKI root
>> > key. The owners of the gateways can build something like a web of trust
>> > between each other.
>> >
>> > Each user who is starting a new node has to download/choose a gateway as
>> > his primary uplink and will a "chain of trust" for the rest of the
>> > gateways.
>> Why you want to introduce a hierarchy when it is not needed ?? Why
>> don't just introduce the web of trust between all the nodes ??
> The idea behind the "mini CAs" for each gateway was to reduce the length of
> trust chains and number of "root certificates" a node has to know. RSA
> operations are expensive.

If the problem we want to focus on is rogue gateways, what about a
decentralized web of trust based on PGP and only gateways signing
their HNA messages (signatures could travel on separate messages, as
in http://perso.crans.org/raffo/papers/securing-olsr.pdf )?

Having only gateways signing their messages (and all nodes checking
these signatures before accepting HNAs) should be less CPU-intensive
than having nodes checking signatures made by all other nodes in the

>> [..CUT..]
>> You deploy a Web Of Trust or PKI/PMI to enforce a security policy.
> No... I would like to have a PKI to have end-to-end encryption in OLSR
> networks, so we don't have to send traffic unencrypted through the cloud
> (where anyone outside the net just needs a wlan sniffer to log your traffic)

We could think of an on-demand PGP-based TLS/SSL between a node and a
gateway, for example...


More information about the Olsr-users mailing list