[Security] Hosted solutions - client/user certs

Dirk Meyer dmeyer at tzi.de
Sun Aug 24 13:09:14 CDT 2008


Pavel Simerda wrote:
> PubSub will be on virtually every server in the future and it's
> suitable for saving both private and public data.
>
> The only issue is: do you trust the server list? Maybe you can also
> store your own signatures for the certificates? I don't understand the
> precise purpose of this outline but I believe it should also include
> a listing of security features it is intended to provide.

I trust the server to hold the certificates for clients that can log
in at the server. If the server is bad it does not care anyway. But I
do not trust the server for c2c certificates, they have to be signed
by a key I trust. But we can use the same list for both cases. Keep
the list of client certificates signed on a pubsub node. The server
(which may not be able to verify the signature but that doesn't
matter) allows all clients with such a certificate to log in. For c2c
all clients use that list including the signature for authentication.


Dirk

-- 
If you explain so clearly that nobody can misunderstand, somebody will.


More information about the Security mailing list