[18790] in cryptography@c2.net mail archive
[kerry@vscape.com: Re: [p2p-hackers] P2P Authentication]
daemon@ATHENA.MIT.EDU (Eugen Leitl)
Mon Oct 31 09:42:37 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 27 Oct 2005 16:09:33 +0200
From: Eugen Leitl <eugen@leitl.org>
To: Cryptography List <cryptography@metzdowd.com>
--glBlQjEvVyxq38Av
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
----- Forwarded message from Kerry Bonin <kerry@vscape.com> -----
=46rom: Kerry Bonin <kerry@vscape.com>
Date: Thu, 27 Oct 2005 06:52:57 -0700
To: zooko@zooko.com, "Peer-to-peer development." <p2p-hackers@zgp.org>
Subject: Re: [p2p-hackers] P2P Authentication
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
Reply-To: "Peer-to-peer development." <p2p-hackers@zgp.org>
There are only two good ways to provide man-in-the-middle resistant=20
authentication with key repudiation in a distributed system - using a=20
completely trusted out of band channel to manage everything, or use a=20
PKI. I've used PKI for >100k node systems, it works great if you keep=20
it simple and integrate your CRL mechanism - in a distributed system the=20
pieces are all already there! I think some people are put off by the=20
size and complexity of the libraries involved, which doesn't have to be=20
the case - I've got a complete RSA/DSA X.509 compliant cert based PKI=20
(leveraging LibTomCrypt for crypto primitives) in about 2k lines of C++,=20
<30k object code, works great (I'll open that source as LGPL when I=20
deploy next year...) The only hard part about integrating into a p2p=20
network is securing the CA's, and that's more of a network security=20
problem than a p2p problem...
Kerry
zooko@zooko.com wrote:
>>>And if they do, then why reinvent the wheel? Traditional public key
>>>signing works well for these cases.
>>> =20
>>>
>...
>=20
>
>> Traditional public key signing doesn't work well if you want to
>>eliminate the central authority / trusted third party. If you like
>>keeping those around, then yes, absolutely, traditional PKI works
>>swimmingly.
>> =20
>>
>
>Where is the evidence of this bit about "traditional PKI working"? As far=
=20
>as
>I've observed, traditional PKI works barely for small, highly centralized,
>hierarchical organizations and not at all for anything else. Am I missing=
=20
>some
>case studies of PKI actually working as intended?
>
>Regards,
>
>Zooko
>_______________________________________________
>p2p-hackers mailing list
>p2p-hackers@zgp.org
>http://zgp.org/mailman/listinfo/p2p-hackers
>_______________________________________________
>Here is a web page listing P2P Conferences:
>http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
>
>
>=20
>
_______________________________________________
p2p-hackers mailing list
p2p-hackers@zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--=20
Eugen* Leitl <a href=3D"http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
--glBlQjEvVyxq38Av
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDYN+ddbAkQ4sp9r4RAlD5AJ9ESixOjXoCKNwsttopegsjutDIKQCgmb3+
WenPj/0G/fpE1VgtuA6jLNQ=
=n7bl
-----END PGP SIGNATURE-----
--glBlQjEvVyxq38Av--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
