[tahoe-dev] Building a more resistant introducer

[Brian Warner]

Francois Deppierraz wrote:

> pb://TubID@volunteergrid-introducer.allmydata.org:53345,tahoe.ctrlaltdel.ch:53345,another-hostname:53345/introducer

Great idea!

> The private key of this introducer will be kept by Zooko and myself for
> new.  I'm wondering about the security implications of publishing it to
> the world.  That would allow someone else to take over the introducer
> duty if the current one disappear.

Someone who posesses the private key (and can cause client traffic to go
to a computer under their control, either by controlling your IP
routing, the DNS mapping, or by just running one of the named computers
normally) can effectively define the grid: they can control which
servers are used by any given client. That means a client could be
forced to see a subset of the "correct" server list, or none, or an
entirely separate network. Note that this only affects availability, not
confidentiality or integrity.

That said, for our purposes, I think it'd be fine to publish this
private key, or merely hand it out to anyone who asks for it.

Incidentally, we should only run one introducer at a time. Clients will
attempt to connect to all of the FURL's "connection hints"
simultaneously, and the first correct response will win. So we shouldn't
spin up a new introducer until we're sure the old one is dead. (the
consequence of having two running at the same time is like an IRC
netsplit: the grid will split into two pieces, and you'll only be able
to see the nodes that connected to the same introducer as you).

> We still need a third person willing
> to provide a DNS record and the duty of keeping it up to date in case
> the introducer has to move.

I can run a third. Name it "testgrid.lothar.com" and I'll set up the DNS
mapping later.

thanks!,
 -Brian