unity-src
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Unity-SRC] Server to server authentication

From: raz
Subject: Re: [Unity-SRC] Server to server authentication
Date: Sat, 23 Aug 2003 16:07:22 +0200 (CEST) 
I'd say host-based. Point is that a server -has- to have a PTR record, not
everyone's got the ability to get one. This'll probably filter out some
noobs, too.
I've got quite a bit of 'real life issues' and stuff, chances are I leave
Rotterdam and get back to my parents so I'll be without internet access
for a while, although that'll probably be alright.
Chris

> Hi everyone,
> long time no see... since I'm currently stuck at this particular part
> of the protocol specification, I want to know your opinion on it.
>
> The more decentralised structure of the network brings us to the
> question of the credibility of servers. IRC servers authenticate each
> other by predefined linking passwords and IP addresses. However, we are
> not going to have a global database of all SRC servers along with their
> connection passwords (which would be stupid anyway since anyone could
> potentionally read out another server's password and assume its
> identity).
>
> So I came up with two solutions: host-based authentication and SSL
> certification.
>
> host-based:
>  when a server connects to another, the reverse DNS entry is checked
>  against the A record for the reverse hostname and if they match, the
>  server is authenticated by that name.
>  Drawback: servers cannot use two different hostnames at the same time.
>
> SSL:
>  when a server connects to another, its SSL certificate is made sure to
>  have been signed by the "SRC Root CA". The certificate would contain a
>  list of hostnames of the server.
>  Drawback: either all certifications have to come from a central
>  place(us,  for example), or server admins have to maintain an
>  up-to-date list of  trusted CAs.
>
> Basically we could allow both at the same time; host-based is cheap and
> easy and no major thinking needs to be involved, SSL does need
> thinking, and is much more work for either "the SRC group" or the
> server admins.
>
> Do you have another suggestion or an addition? I'd love to hear it.
>
> --
> regards,                        |     http://arc.pasp.de
> Jan Krüger                      | ()  ascii ribbon campaign
> Student, RWTH Aachen, Germany   | /\  - against html mail
> http://www.jast.net.tc/         |     - against microsoft attachments
reply via email to
[Prev in Thread] Current Thread [Next in Thread]