[retronet] WireGuard VPN keys…

[Grant Taylor]

I wanted to document something I've thought for a while so that others 
can know what I'm thinking and have the opportunity to comment / object 
/ support it.

--------
Outgoing:  I am planing on ALL WireGuard VPN keys to be generated on 
each member's client.  The member will then provide their public key 
file (${member}-${node}.pub) to the other members (including RetroNet 
Services) that they wish to connect to.
--------
Incoming:  Members will need to accept and install the public key files 
of the other members (including RetroNet Services) that they want to 
connect to.
--------

I want the Outgoing statement so that members are in control of their 
own private key.  Nobody else has it.  Nobody else can violate security 
of something they don't have.

I want the Incoming statement so that members are in control of who is 
allowed to connect to their node.

RetroNet Services is functionally just another member that will have 
links with many other members.  But this is not a hard requirement. 
Members can have links between themselves without RetroNet Services 
being involved.  -  There may be some coordination issues that need to 
be addressed.  But we will deal with them in turn.  I want the 
underlying infrastructure to be designed with security in mind and in 
such a way that members are in complete control of their own security.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.chivanet.org/pipermail/retronet/attachments/20180911/441463a4/attachment.bin>