jbenet
commented
10 years ago @davidad you've probably already taken web of trust models into account in your OSI model, but just in case. Will be pretty sweet to drop packets if the id is untrusted :)
hm, could be a double edged sword (for internet openness) if backbone routers started doing that :(. But I guess you can always encapsulate with messages from dumb/compromised nodes.
davidad
Trivial thoughts after reading (skimming, really) http://mikegerwitz.com/papers/git-horror-story
Block-chain protecting git repositories
Burn commit hashes onto the (most secure) blockchain every so often. Meaning: issue a transaction sending coin to the sha1 (+ zero padding). This doesn't ensure the code is safe, it just saves commit hashes you already trust in a very public place. You can then crawl the blockchain and see what commits we trust. We should do this to the linux kernel and other major oss repos.
Force signing of every block
Certain git repos should not accept any object not signed by a given identity. The git tooling should be able to upgrade to Trusted mode as a whole. (this is probably recommended by the author).
future proofing git hashes
At least, Git should move from sha1 to blake2b. It's faster and safer. Could even use the same hash digest size (truncate a blake2s hash to 160bits).
Ideally, Git should use something like multihash. Not sure if this would force increasing hash digest size or other modifications (multihash biases first two bytes, subtracting 16 bits of security and skewing the distribution of any hash tables/bloom filters using digests directly).
FFT: bloom filters have to be multihash aware :(
As of now, bloom filters that don't re-hash input keys will be skewed by multihash (since they sample the first few bits). Fixed by any of (a) skip 2 bytes, (b) reverse the hash, or (c) rehash. (Note: multihash puts it at the beginning for pascal string like skipping when scanning.)
FFT: force signing of all blocks in IPFS
Every block added to ipfs should be signed. Or at least make it the default. Or make it hard to add unsigned blocks (i.e., require a POW for anonymity, making it just costly enough that unsigned is unlikely to ever be set as a default). Of course, people can still generate sybills, but ipfs identity generation may evolve to a web-of-trust.
FFT2: web-of-trust in IPFS
IPFS should be able to verify id is in a given web-of-trust. Then, implement modes to verify at block and packet level.