Okay, ignore that one of the trapezoids is flipped but pull up that same
image again.
Between A<->B, A<->C, and a (potentially future) B<->C, in my version of
captp I'm also introducing the concept of a "session name". Thus A is
not only handing B access to their A<->C import/export (A/C
respectively) of Carol at 0, they're handing 0 from *within a specific
session* of A<->C. This is important because if something goes wrong
(irrepairable connection, or irrepairable state negotiation), A<->C
might have to establish a new session, and what is imported/exported at
slot 0 might no longer be the same.
I'm not sure it's the right thing, but I've generated a unique session
name per machine<->machine connection the following way. At the
beginning of booting up a vattp (or machinetp?) & captp pairwise
connection, both sides exchange the following structures: [PS:MTP]
;; A -> C
(send-message (mtp:op:start-session <a-atoc-handoff-pubkey>))
;; C -> A
(send-message (mtp:op:start-session <c-atoc-handoff-pubkey>))
Note that this is a NEW KEY generated for this session. That both sides
generate a BRAND NEW KEYPAIR is critical to this design.
From there, a session name can be constructed (thus maybe it should be
called session-pubkey, I dunno... I'm only using it for handoffs so
far). From my code:
;; Both sides should converge on the same session name if all goes well
;; because both sides should have sorted by bytes
(define session-name
(sha256d (apply bytes-append
#"prot0"
(sort (list remote-side-name our-side-name)
bytes<?))))
Since each side is contributing a fresh new handoff key, we should have
a new session name every time.
So I have this and it works. Good/fine/etc.
It has an interesting implication for the certificates then.
While A is granting B authority to Carol on C, observe that the
certificate should actually say the following:
- A is referring to the import/export of carol *from their particular
session*
- A is *signing their end of the certificate* from the key they
provided to the A<->C session
- But curiously, A is *granting* the certificate to the key B provided
from the A<->B handoff session. Nothing about B's identity is
actually encoded in the certificate, surprisingly!
- This does mean what C needs to do to verify that this signature came
"from A":
- Look up what "active session" they have open (if any) matching the
certificate's mentioned session name
- Make sure that the certifiate is signed by the *other end of that
session*
- Curiously this also means that nothing about "A", identity-wise,
necessarily needs to appear on the certificate for the handoff to
work, since what C really cares about is gifting from an *open
session with the mentioned name*, in this case.
That's kind of surprising. No "identity" really at all of "A" mentioned
on the certificate, neither of "B"... only keys related to two specific
sessions.
But C's "identity" does come in somehow... the reason being that B needs
to know:
1. Whether they already have an open connection to C
2. How to start a new connection to C if they don't yet have an open
connection
For now, I'm going to call this particular kind of identity "location".
What it really does is tell B how to route messages to C... and also
whether they already have a way to route messages to C. It's critical
to shortening, network monitoring and routing attacks, and to some
degree, integrity... though less than it may appear, because if A tries
to specify a session name they had no part of, it doesn't really help
them do anything interesting... or does it? They could maybe mislead B
into setting up a "path" to C that is snooped on by A. I need some more
time to think of the ways in which things could go badly, especially the
ways that A could misdirect B. My brain is curdling a bit here.
But maybe here is a path out. Consider an adjustment to the
start-session op: [PS:LOCATIONS]
;; A -> C
(send-message
(mtp:op:start-session <a-atoc-handoff-pubkey>
<signed-by-that-key <acceptable-a-location>>))
;; C -> A
(send-message
(mtp:op:start-session <c-atoc-handoff-pubkey>
<signed-by-that-key <acceptable-c-location>>))
It might be then that A has to hand a <acceptable-c-location> that was
signed by C's part of the session-name, thus meaning that A can't insert
*A's preferred way to get to C*. This can also be compared (eq? eek!)
for shortening / lack of duplicate connections/sessions purposes.
But my brain is roughly cottage cheese at this point. Assuming
brain-curdling is not a one-way function, I'll have to see if I can
analyze this as being reasonably "safe" and "sane" once I've
reconstituted it.
- Chris
[PS:MTP] Why mtp:? All other op: are for captp, but this crosses over
into the machinetp, aka vattp, territory because it involves some
weird-ass connection establishment and identity crap. Yeah maybe it's
just an op: because maybe this is captp'ish, I dunno. I hate the amount
of crossover happening here.
[PS:LOCATIONS] Yes, I put "location" here and not "locations". Having
one identity used for shortening, rather than a set, seems easier. My
brain is broken enough already.