danwent
commented
11 years ago Dave, the signature on the reply include the service_id, which includes the hostname + port, so there is no risk of the reply being for a different host and still being accepted by the client.
See: https://github.com/danwent/Perspectives-Server/blob/master/client/client_common.py#L67
Currently the notary reply does not contain the host name. We should include it so clients can verify that the fingerprint returned is indeed for the host they expected.
Using SSL to encrypt the reply would also protect against attacks, but we should include it in the reply just in case.