tincd.exe -K (sorry if present twice)

Guus Sliepen guus at sliepen.eu.org
Mon May 3 22:47:39 CEST 2004


On Mon, May 03, 2004 at 10:32:36PM +0200, Axel Christiansen wrote:

> A dummi network (-c dummi) could fix my need. Thank you.
> I am using the tincd with a dynamic config. Whenever a
> connection comes up, pub keys and ip-config is exchanged
> bevore the final tincd config files are written. Therefore
> i want the key pair in a temporal area.
> 
> BTW. Can you or anyone else see a proplam in the fact, that the
> public part of the key of both sides travel in clear text
> over the net? I use RPC to exchange the pub keys and ip config.

There is no problem with sending public keys in cleartext, that's why
they are "public". An eavesdropper cannot learn anything useful from a
public key alone.

There is a problem in exchanging public keys in an automated fashion
though: a man in the middle could intercept a public key, replace it
with its own public key, and pass it on. Both sides think they got a
public key from eachother, while in reality they got keys from the man
in the middle, and the man in the middle will be able to decrypt all the
traffic that is being sent.

You should never just trust a public key, you should verify that it
comes from the right person (which you can do easily yourself by talking
to that person), or you should sign the public key with another trusted
key, like with X.509 certificates or PGP signatures.

Could you tell us why you're dynamically exchanging public keys?

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20040503/0f7e0fca/attachment.pgp


More information about the tinc mailing list