Re: [Unity-SRC] Server to server authentication

unity-src

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Unity-SRC] Server to server authentication

From:	David Westley
Subject:	Re: [Unity-SRC] Server to server authentication
Date:	Fri, 22 Aug 2003 13:29:13 +0100

What if we go with the SSL option but old style networks (can't remember what 
they are going to be called in SRC) could apply for a network Certificate from 
the SRC Root CA then they can generate Certificates for their servers, that way 
we would take the load off of us generating Certificates for everyone?

If this sounds really stupid to anyone then just slap me! :)

Dave

-----Original Message-----
From: Jan Krueger <address@hidden>
To: address@hidden
Date: Fri, 22 Aug 2003 00:43:22 +0200
Subject: [Unity-SRC] Server to server authentication

> Hi everyone,
> long time no see... since I'm currently stuck at this particular part of the
> protocol specification, I want to know your opinion on it.
> 
> The more decentralised structure of the network brings us to the question of
> the credibility of servers. IRC servers authenticate each other by predefined
> linking passwords and IP addresses. However, we are not going to have a
> global
> database of all SRC servers along with their connection passwords (which
> would
> be stupid anyway since anyone could potentionally read out another server's
> password and assume its identity).
> 
> So I came up with two solutions: host-based authentication and SSL
> certification.
> 
> host-based:
>   when a server connects to another, the reverse DNS entry is checked against
>   the A record for the reverse hostname and if they match, the server is
>   authenticated by that name.
>   Drawback: servers cannot use two different hostnames at the same time.
> 
> SSL:
>   when a server connects to another, its SSL certificate is made sure to have
>   been signed by the "SRC Root CA". The certificate would contain a list of
>   hostnames of the server.
>   Drawback: either all certifications have to come from a central place(us, 
>   for example), or server admins have to maintain an up-to-date list of 
>   trusted CAs.
> 
> Basically we could allow both at the same time; host-based is cheap and easy
> and no major thinking needs to be involved, SSL does need thinking, and is
> much more work for either "the SRC group" or the server admins.
> 
> Do you have another suggestion or an addition? I'd love to hear it.
> 
> -- 
> regards,                        |     http://arc.pasp.de
> Jan Krüger                      | ()  ascii ribbon campaign
> Student, RWTH Aachen, Germany   | /\  - against html mail
> http://www.jast.net.tc/         |     - against microsoft attachments
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Unity-SRC] Server to server authentication, Jan Krueger, 2003/08/22
- Re: [Unity-SRC] Server to server authentication, David Westley, 2003/08/22
- Re: [Unity-SRC] Server to server authentication, David Westley <=
  - Re: [Unity-SRC] Server to server authentication, Jan Krueger, 2003/08/23
  - Re: [Unity-SRC] Server to server authentication, Jan Krueger, 2003/08/24
- Re: [Unity-SRC] Server to server authentication, raz, 2003/08/23
  - Re: [Unity-SRC] Server to server authentication, Jan Krueger, 2003/08/23

Prev by Date: Re: [Unity-SRC] Server to server authentication
Next by Date: [Unity-SRC] muve to psyc! :)
Previous by thread: Re: [Unity-SRC] Server to server authentication
Next by thread: Re: [Unity-SRC] Server to server authentication
Index(es):
- Date
- Thread