[retronet] WireGuard VPN keys…
Michael Kjörling
michael at kjorling.se
Wed Sep 12 03:54:57 MDT 2018
On 11 Sep 2018 21:56 -0600, from retronet at mailman.chivanet.org (Grant Taylor via retronet):
> Outgoing: I am planing on ALL WireGuard VPN keys to be generated on each
> member's client. The member will then provide their public key file
> (${member}-${node}.pub) to the other members (including RetroNet Services)
> that they wish to connect to.
>
> Incoming: Members will need to accept and install the public key files of
> the other members (including RetroNet Services) that they want to connect
> to.
This sounds good. It also appears to me to have the side benefit that
if someone does screw up, at least nobody else is _directly_ affected,
no matter who does the screwing up.
Even if a Service node gets compromised, this only allows an attacker
access to the baseband traffic of the VPN link, which can be encrypted
in its own right if desired (say, using TLS, or separately negotiated
encrypted tunnels within the VPN). I also find it unlikely that
traffic on RetroNet would be particularly sensitive in nature.
> I want the underlying infrastructure to be
> designed with security in mind and in such a way that members are in
> complete control of their own security.
Sounds good, and is in line with at least my interpretation of RFC
7258 / BCP 188.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“The most dangerous thought that you can have as a creative person
is to think you know what you’re doing.” (Bret Victor)
More information about the retronet
mailing list