[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]

Henning Rogge (spam-protected)
Fri Jan 30 14:50:54 CET 2009

Am Friday 30 January 2009 14:44:13 schrieb (spam-protected):
> Hello. I join the brainstorming :)

> On Fri, Jan 30, 2009 at 12:49 PM, Henning Rogge <(spam-protected)> wrote:
> > Am Friday 30 January 2009 12:06:31 schrieb ZioPRoTo (Saverio Proto):
> >> > My idea is that each gateway to the internet set up it's own PKI root
> >> > key. The owners of the gateways can build something like a web of
> >> > trust between each other.
> >> >
> >> > Each user who is starting a new node has to download/choose a gateway
> >> > as his primary uplink and will a "chain of trust" for the rest of the
> >> > gateways.
> >>
> >> Why you want to introduce a hierarchy when it is not needed ?? Why
> >> don't just introduce the web of trust between all the nodes ??
> >
> > The idea behind the "mini CAs" for each gateway was to reduce the length
> > of trust chains and number of "root certificates" a node has to know. RSA
> > operations are expensive.
> If the problem we want to focus on is rogue gateways, what about a
> decentralized web of trust based on PGP and only gateways signing
> their HNA messages (signatures could travel on separate messages, as
> in http://perso.crans.org/raffo/papers/securing-olsr.pdf )?
I would like to fokus on getting a way "to prove your identification" in a 
mesh network (maybe for end-2-end encryption, maybe for routing-package 
signing,...). If we had a way to check the authentification of a node, we can 
build on it.

> Having only gateways signing their messages (and all nodes checking
> these signatures before accepting HNAs) should be less CPU-intensive
> than having nodes checking signatures made by all other nodes in the
> mesh...
Yes, that might be an interesting idea. Of course a possible attacker could 
try to redirect traffic by sending bad TCs, but that's another problem.

> >> [..CUT..]
> >> You deploy a Web Of Trust or PKI/PMI to enforce a security policy.
> >
> > No... I would like to have a PKI to have end-to-end encryption in OLSR
> > networks, so we don't have to send traffic unencrypted through the cloud
> > (where anyone outside the net just needs a wlan sniffer to log your
> > traffic)
> We could think of an on-demand PGP-based TLS/SSL between a node and a
> gateway, for example...
Or just IPsec... that way we don't need an additional UDP layer for TSL.


Diplom Informatiker Henning Rogge
Forschungsgesellschaft für
Angewandte Naturwissenschaften e. V. (FGAN) 
Neuenahrer Str. 20, 53343 Wachtberg, Germany
Tel.: 0049 (0)228 9435-961
Fax: 0049 (0)228 9435-685
E-Mail: (spam-protected)
Web: www.fgan.de
Sitz der Gesellschaft: Bonn
Registergericht: Amtsgericht Bonn VR 2530
Vorstand: Dr. rer. nat. Ralf Dornhaus (Vors.), Prof. Dr. Joachim Ender 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090130/da98a4fb/attachment.sig>

More information about the Olsr-users mailing list