[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Unity-SRC] Server to server authentication
From: |
Jan Krueger |
Subject: |
[Unity-SRC] Server to server authentication |
Date: |
Fri, 22 Aug 2003 00:43:22 +0200 |
Hi everyone,
long time no see... since I'm currently stuck at this particular part of the
protocol specification, I want to know your opinion on it.
The more decentralised structure of the network brings us to the question of
the credibility of servers. IRC servers authenticate each other by predefined
linking passwords and IP addresses. However, we are not going to have a global
database of all SRC servers along with their connection passwords (which would
be stupid anyway since anyone could potentionally read out another server's
password and assume its identity).
So I came up with two solutions: host-based authentication and SSL
certification.
host-based:
when a server connects to another, the reverse DNS entry is checked against
the A record for the reverse hostname and if they match, the server is
authenticated by that name.
Drawback: servers cannot use two different hostnames at the same time.
SSL:
when a server connects to another, its SSL certificate is made sure to have
been signed by the "SRC Root CA". The certificate would contain a list of
hostnames of the server.
Drawback: either all certifications have to come from a central place(us,
for example), or server admins have to maintain an up-to-date list of
trusted CAs.
Basically we could allow both at the same time; host-based is cheap and easy
and no major thinking needs to be involved, SSL does need thinking, and is
much more work for either "the SRC group" or the server admins.
Do you have another suggestion or an addition? I'd love to hear it.
--
regards, | http://arc.pasp.de
Jan Krüger | () ascii ribbon campaign
Student, RWTH Aachen, Germany | /\ - against html mail
http://www.jast.net.tc/ | - against microsoft attachments
pgpE2AJH7DJi1.pgp
Description: PGP signature
- [Unity-SRC] Server to server authentication,
Jan Krueger <=