[freenet-chat] ideas for a freenet 'name server' framework

Matthew Toseland toad at amphibian.dyndns.org
Thu Jun 15 13:36:14 UTC 2006 

Interesting.

KSKs aren't *that* insecure:
- They _can_ be spammed.
- They _can_ be decrypted from the store (with a dictionary attack).
- They _can_ be faked (with a dictionary attack).
- However, an existing KSK takes precedence when requesting or
  inserting, and when a new one tries to overwrite the old one, the old
  one propagates.

The only really fatal problem here is that they are spammable. Of
course, so is classic DNS, as we have discovered. :(

If you want something which isn't spammable, then indeed you need
central repositories. One way to do this is just like DNS - have several
*named* master registries:

http://bob.cofe/ (look bob up on cofe)
http://joe.freehoo/ (look joe up on freehoo)

You might have a unifying search which checks multiple repositories in
order, but generally that sort of ambiguity is dangerous.

Obviously we need a consensus mapping of names to repositories; you've
already covered that, it's something that needs to be manually
maintained.

The bottom line is that the best security comes from using SSKs and
CHKs. However, KSKs have their uses, and such a scheme may also have its
uses. But I recommend the multiple-named-repos approach, for obvious
security reasons.

On Fri, Jun 16, 2006 at 12:02:41AM +1200, David McNab wrote:
> Hi
> 
> I've been thinking about ways to get human-friendly, yet secure, URIs
> under freenet.
> 
> (KSKs are nice, just a shame they're so easily subverted).
> 
> My thoughts so far are:
> 
> 1) Users would trust one or more 'namesites'. For instance, if I have
> confidence in Alice's 'namesite', I would stick in my ~/.freenames file
> an entry:
> 
> alice freenet:USK at alicepubkey/alice/0
> 
> 2) If I want to browse a freesite, with the human-friendly URL of
> http://falun-gong.free, my client would look in ~/.freenames, see the
> entry for 'alice', then try alice's uri for 'falun-gong'.
> 
> 3) If the 'alice' namesite has an entry for 'falun-gong', then the URI:
> 
> USK at alicepubkey/alice/0/falun-gong
> 
> should return the physical URI of the 'falun-gong' site I'm looking for,
> which might be:
> 
> USK at falungpubkey/falun-gong/0
> 
> 4) Alice might trust other namesites, so her namesite would have
> a file 'USK at alicepubkey/alice/0/.forward
> 
> which lists URIs for other namesites which Alice considers trustworthy.
> So if Alice didn't have an entry for 'falun-gong', maybe one of the
> namesites listed in her .forward file might.
> 
> So, how would this get used in practice?
> 
> One way I've thought of is to implement a basic name server for local
> use only. This name server would have a very simple socket interface,
> supporting commands like 'lookup' (look up a name), 'list' (list the
> trusted namesites), 'add' (add a namesite), 'remove' (remove a namesite).
> 
> Then the last step is to write an http proxy over the top of fproxy
> which simply follows the above method to translate human-readable URIs
> such as 'http://falun-gong.free' to
> 'http://127.0.0.1:8888/USK@falungongpubkey/falun-gong/0/index.html'
> 
> As for the service side, running a namesite would be very easy. It would
> just be a freesite where the mapping from (say) foo.free is implemented
> as a relative path /foo, which contains just the real freenet URI
> 'USK at blahblah/foo/0'.
> 
> An alternative, which would reduce the number of files on the freesite,
> would be to list everything in one file, maybe '/.bulk'.
> 
> But before I launch into something like this, the question to ask is
> whether others might see value in having human-readable yet secure and
> (relatively) trustworthy URIs.
> 
> For me, I would see value, because I'm getting a bit tired of the
> current URIs being so long that I can't see the file extension in my
> browser address or status bars.
> 
> Anyway, your thoughts?
> 
> -- 
> Kind regards
> David
> 
> _______________________________________________
> chat mailing list
> chat at freenetproject.org
> Archived: http://news.gmane.org/gmane.network.freenet.general
> Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/chat
> Or mailto:chat-request at freenetproject.org?subject=unsubscribe
> 

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://emu.freenetproject.org/pipermail/chat/attachments/20060615/defe62ac/attachment.pgp

More information about the chat mailing list