From: "Ian Clarke" <[EMAIL PROTECTED]>
>Ok, but this basically gives the controller of that private key (namely
>you) the power to censor any sites which are linked to via your DNS
>mechanism (by refusing to copy them into the private subspace).
Which is why I'm keen to take up Brandon's suggestion about multiple DNS
registries, and empowering anyone to become a DNS registrar. I don't want to
be held responsible for content on FreeWeb.
But did you read in my earlier reply about the 'fwgetdns' utility, which
*anyone* can run, and which bypasses me completely in loading DNS records
into the user's own local DNS cache?
> The
>system could also be shut down by spamming the submission key index.
>This defeats the whole point of Freenet.
Here again is where the multiple registries system will offer some remedies.
If one key index is being spammed, it can be blacklisted in favour of
cleaner registries.
>It is also totally unnescessary, if people want friendly ways
>to access their sites in Freenet, why not use KSKs - that is what they
>are there for?
The first pre-alpha used strictly KSKs, and had no 'registry' system - I got
shot down by others for using inherently insecure key types.
Milking inform.php and doing htl=1 inserts of a KSK all over the place can
take down a site, or result in another site appearing in its place.
The Chinese government woul just *love* that if they see Falun Gong sites
appearing on freeweb.
>This additional layer is unnescessary and encourages incompatabilities
>since only FreeWeb users will be able to access sites which are
>advertised with a .free domain - where as it would be trivial to make
>FreeWeb 100% compatable with existing tools by abandoning this
>mechanism.
Again, refer to the discussion in my earlier reply about the fwgetdns
utility.
Lastly, Ian and others, I do hear your concerns.
It's a bit of a brain rattler, how to come up with a translation path which
can render a short human-readable string into a secure Freenet key:
1) With no hazard to anonymity
2) Without relying on out-of-band means such as mainstream websites
3) With no vulnerability in the security or accessibility of the translation
path
KSKs are wonderful for this, but highly vulnerable to htl=1 attack.
SSKs are tight and secure keys, but can't be written to without the use of a
private key. Revealing this private key makes them as insecure as KSKs.
I propose that the final system work via multiple DNS registries, with each
user free to select the order in which the registries are searched.
This seems the best compromise - an 'arms race' scenario, whereby new clean
DNS registries pop up as fast as older registries get spammed into
uselessness.
If you, Ian, or anyone else can suggest something better, I'd love to hear
it, and put it into the next FreeWeb release.
Cheers
David
_______________________________________________
Chat mailing list
[EMAIL PROTECTED]
http://lists.freenetproject.org/mailman/listinfo/chat
