Ralph Hartley wrote:
> Ok, then there is no need for any signed SLS entries at all. An SLS
> isn't trusted to check them anyway. To prevent DOS attack involving
> masses of bad entries, an SLS MAY check any SLS entry it receives in
> the same way the client does.
I would say SHOULD. MAY would make it too easy to hijack an unauthenticated scheme. Although clients should not rely on this, we want to make a 'best effort'.
The signed entries from the site admin to the SLS were also intended to prevent replay attacks. If the site admin is using the SLS for some load balancing strategy, then he might want to temporarily remove sites that are valid mirrors. An annoyance mallet could interfere with an SLS and a site admin that were trying to co-operate.
Maybe trying to prevent this isn't worth the added complexity of another authentication method. Let's drop it.
> Are there bad things Mallet might want to do that don't require
> passing a bad entry off as a good one?
The most common attack will be trying to convince the user to voluntarily use a public-key-hash for a site that is trying to impersonate another site that the user does not have the public-key-hash for.
The best way to prevent this is with Pet Name registries like Markm was talking about in a previous post. The first of these registries may be in a stock 'favourites' list that comes with your browser.
> For instance, if Mallet
> controls an SLS but not all communications to and from the
> client, he
> can do traffic analysis based on what URIs the client
> requests,
Your gateway can always keep track of what you ask for. If this is a problem, then what you ask for should be the font door to a ZeroKnowledge cloud. I don't think there's anything in SLS that would prevent Freedom from doing its job.
I think Mark talked with Ian about this when wondering about VLS on Freedom. I think the answer was yes, but not supported by the current release (or any planned releases due to publicity concerns).
> or by
> adding bogus entries pointing to a IP address he controls
> (which would
> be caught but only after he logged them).
Which a 'good' SLS would filter out before use.
> Mallet can also add new URIs and make them point to
> arbitrary servers
> without the server administrators permission, but I don't
> know if that
> is bad.
Do you mean a new public-key-hash that points to someone else's server? I guess this would be an annoyance attack on the SLS. If it gets to be a problem, then an SLS may demand a fee to host an entry. The worst case for this is just wasted storage space, which isn't such a terrible fate.
Tyler