[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]

Henning Rogge (spam-protected)
Fri Jan 30 14:50:54 CET 2009


Am Friday 30 January 2009 14:44:13 schrieb (spam-protected):
> Hello. I join the brainstorming :)
:)

> On Fri, Jan 30, 2009 at 12:49 PM, Henning Rogge <(spam-protected)> wrote:
> > Am Friday 30 January 2009 12:06:31 schrieb ZioPRoTo (Saverio Proto):
> >> > My idea is that each gateway to the internet set up it's own PKI root
> >> > key. The owners of the gateways can build something like a web of
> >> > trust between each other.
> >> >
> >> > Each user who is starting a new node has to download/choose a gateway
> >> > as his primary uplink and will a "chain of trust" for the rest of the
> >> > gateways.
> >>
> >> Why you want to introduce a hierarchy when it is not needed ?? Why
> >> don't just introduce the web of trust between all the nodes ??
> >
> > The idea behind the "mini CAs" for each gateway was to reduce the length
> > of trust chains and number of "root certificates" a node has to know. RSA
> > operations are expensive.
>
> If the problem we want to focus on is rogue gateways, what about a
> decentralized web of trust based on PGP and only gateways signing
> their HNA messages (signatures could travel on separate messages, as
> in http://perso.crans.org/raffo/papers/securing-olsr.pdf )?
I would like to fokus on getting a way "to prove your identification" in a 
mesh network (maybe for end-2-end encryption, maybe for routing-package 
signing,...). If we had a way to check the authentification of a node, we can 
build on it.

> Having only gateways signing their messages (and all nodes checking
> these signatures before accepting HNAs) should be less CPU-intensive
> than having nodes checking signatures made by all other nodes in the
> mesh...
Yes, that might be an interesting idea. Of course a possible attacker could 
try to redirect traffic by sending bad TCs, but that's another problem.

> >> [..CUT..]
> >> You deploy a Web Of Trust or PKI/PMI to enforce a security policy.
> >
> > No... I would like to have a PKI to have end-to-end encryption in OLSR
> > networks, so we don't have to send traffic unencrypted through the cloud
> > (where anyone outside the net just needs a wlan sniffer to log your
> > traffic)
>
> We could think of an on-demand PGP-based TLS/SSL between a node and a
> gateway, for example...
Or just IPsec... that way we don't need an additional UDP layer for TSL.

Henning

*************************************************
Diplom Informatiker Henning Rogge
Forschungsgesellschaft für
Angewandte Naturwissenschaften e. V. (FGAN) 
Neuenahrer Str. 20, 53343 Wachtberg, Germany
Tel.: 0049 (0)228 9435-961
Fax: 0049 (0)228 9435-685
E-Mail: (spam-protected)
Web: www.fgan.de
************************************************
Sitz der Gesellschaft: Bonn
Registergericht: Amtsgericht Bonn VR 2530
Vorstand: Dr. rer. nat. Ralf Dornhaus (Vors.), Prof. Dr. Joachim Ender 
(Stellv.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090130/da98a4fb/attachment.sig>


More information about the Olsr-users mailing list