While we can guarantee that the addresses are authenticated through the Signed Peer Record, we cannot have guarantees that a malicious Rendezvous Point exists. Taking into account a discovery query for a given namespace, the signed peer records returned by the rendezvous point could be obtained from a registration to a different namespace, or just by crawling the network.
We will need to have a signature that also includes the namespace. Unfortunately, we cannot validate the ttl, but it would not be worth as the user could just unregister and the record would still be valid.
The easiest solution here would be signing the concatenation of a rendezvous prefix, the signed peer record bytes and the namespace. Its disadvantages are the extra signature creation, validation and size of the message.
cc Rendezvous Interest group @jacobheun @vyzo @daviddias @whyrusleeping @Stebalien @yusefnapora
In the same way as we added message signing in Pubsub (https://github.com/ipfs/go-ipfs/issues/5383#issuecomment-413288002 + https://github.com/libp2p/go-libp2p-pubsub/pull/97), we should add message signing to our rendezvous register messages.
While we can guarantee that the addresses are authenticated through the Signed Peer Record, we cannot have guarantees that a malicious Rendezvous Point exists. Taking into account a discovery query for a given namespace, the signed peer records returned by the rendezvous point could be obtained from a registration to a different namespace, or just by crawling the network.
We will need to have a signature that also includes the namespace. Unfortunately, we cannot validate the ttl, but it would not be worth as the user could just unregister and the record would still be valid.
The easiest solution here would be signing the concatenation of a rendezvous prefix, the signed peer record bytes and the namespace. Its disadvantages are the extra signature creation, validation and size of the message.
cc Rendezvous Interest group @jacobheun @vyzo @daviddias @whyrusleeping @Stebalien @yusefnapora