[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Unity-SRC] Server to server authentication
From: |
raz |
Subject: |
Re: [Unity-SRC] Server to server authentication |
Date: |
Sat, 23 Aug 2003 16:07:22 +0200 (CEST) |
I'd say host-based. Point is that a server -has- to have a PTR record, not
everyone's got the ability to get one. This'll probably filter out some
noobs, too.
I've got quite a bit of 'real life issues' and stuff, chances are I leave
Rotterdam and get back to my parents so I'll be without internet access
for a while, although that'll probably be alright.
Chris
> Hi everyone,
> long time no see... since I'm currently stuck at this particular part
> of the protocol specification, I want to know your opinion on it.
>
> The more decentralised structure of the network brings us to the
> question of the credibility of servers. IRC servers authenticate each
> other by predefined linking passwords and IP addresses. However, we are
> not going to have a global database of all SRC servers along with their
> connection passwords (which would be stupid anyway since anyone could
> potentionally read out another server's password and assume its
> identity).
>
> So I came up with two solutions: host-based authentication and SSL
> certification.
>
> host-based:
> when a server connects to another, the reverse DNS entry is checked
> against the A record for the reverse hostname and if they match, the
> server is authenticated by that name.
> Drawback: servers cannot use two different hostnames at the same time.
>
> SSL:
> when a server connects to another, its SSL certificate is made sure to
> have been signed by the "SRC Root CA". The certificate would contain a
> list of hostnames of the server.
> Drawback: either all certifications have to come from a central
> place(us, for example), or server admins have to maintain an
> up-to-date list of trusted CAs.
>
> Basically we could allow both at the same time; host-based is cheap and
> easy and no major thinking needs to be involved, SSL does need
> thinking, and is much more work for either "the SRC group" or the
> server admins.
>
> Do you have another suggestion or an addition? I'd love to hear it.
>
> --
> regards, | http://arc.pasp.de
> Jan Krüger | () ascii ribbon campaign
> Student, RWTH Aachen, Germany | /\ - against html mail
> http://www.jast.net.tc/ | - against microsoft attachments