[E-Lang] Re: [JXTA Security] hello and unassisted encrypted file
Ben Laurie
ben@algroup.co.uk
Sat, 16 Jun 2001 11:06:58 +0100
"McMahon, Joseph" wrote:
>
> You should also consider including a NRV (Non repeating value) to help
> defeat playback attacks. There's plenty of issues as you said with securing
> P2P...how do you authenticate the peer? how do you protect the session with
> the peer? How does the peer authenticate that you aren't spoofing another
> peer? If we're to keep this mobile, then you can't tie things to a physical
> address (like a certificate for a website)...it should be fun & challenging
> coming up with the solution!
Certificates are tied to some notion of identity. When you connect to a
website using HTTPS, what actually gets verified is that the cert
corresponds to the FQDN. But there's no need for that to be the case
universally. Presumably in P2P you identify the peer in some way, and
_that_ is what should be in the cert (actually, I'm an SPKI fan for this
kind of thing - your ID _is_ your key).
BTW, the whole question of authenticated and secure P2P connections has
been pretty thoroughly explored in E - see http://www.erights.org/, and
in particular VatTP
(http://www.erights.org/elib/distrib/vattp/index.html).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff