[Unity-SRC] Server to server authentication

[Jan Krueger]

Hi everyone,
long time no see... since I'm currently stuck at this particular part of the
protocol specification, I want to know your opinion on it.

The more decentralised structure of the network brings us to the question of
the credibility of servers. IRC servers authenticate each other by predefined
linking passwords and IP addresses. However, we are not going to have a global
database of all SRC servers along with their connection passwords (which would
be stupid anyway since anyone could potentionally read out another server's
password and assume its identity).

So I came up with two solutions: host-based authentication and SSL
certification.

host-based:
  when a server connects to another, the reverse DNS entry is checked against
  the A record for the reverse hostname and if they match, the server is
  authenticated by that name.
  Drawback: servers cannot use two different hostnames at the same time.

SSL:
  when a server connects to another, its SSL certificate is made sure to have
  been signed by the "SRC Root CA". The certificate would contain a list of
  hostnames of the server.
  Drawback: either all certifications have to come from a central place(us, 
  for example), or server admins have to maintain an up-to-date list of 
  trusted CAs.

Basically we could allow both at the same time; host-based is cheap and easy
and no major thinking needs to be involved, SSL does need thinking, and is
much more work for either "the SRC group" or the server admins.

Do you have another suggestion or an addition? I'd love to hear it.

-- 
regards,                        |     http://arc.pasp.de
Jan Krüger                      | ()  ascii ribbon campaign
Student, RWTH Aachen, Germany   | /\  - against html mail
http://www.jast.net.tc/         |     - against microsoft attachments

pgpE2AJH7DJi1.pgp
Description: PGP signature