Open MarcoPolo opened 1 year ago
I've update the spec with a couple changes:
challenge-client
value.I'm considering making one more change to this spec: Allow the client to send a challenge in the initial request. This would allow the client to authenticate the server on the first round trip, and to send application data after only one round trip. It is similar in spirit to how the noise XX handshake works where the responder (server in our case) is authenticated after the first round trip.
I can't think of any compelling reason to not allow this, and many reasons to support it. The main reason being that in cases you know you need to authenticate, it removes a round trip.
Are there any compelling cases you can think of @Stebalien, @sukunrt, @aschmahmann?
Essentially supporting this flow:
sequenceDiagram
C->>S: challenge-server
S-->>C: challenge-client+server-sig [server authenticated]
C->>S: client-sig + application data [client authenticated]
S-->>C: resp
Alongside what is currently defined:
sequenceDiagram
C->>S: initial request
S-->>C: challenge-client
C->>S: client-sig+challenge-server [client authenticated]
S-->>C: server-sig [server authenticated]
C->>S: application data
S-->>C: resp
I agree, the client should send its challenge in the first message.
I've removed the peer id authentication scheme from the core spec of #508 for a couple reasons:
On 2, this is the first time we are doing a peer id auth scheme that relies on web PKI, and thus has slightly different security properties than what we've done in the past. Instead of tying a peer id to an underlying encrypted channel we are tying it to a domain name. If the client can't trust the domain name (e.g. has enterprise root CAs installed) then their connection can be mitmd. In practice I don't think this is a serious concern because:
go-libp2p implementation: https://github.com/libp2p/go-libp2p/pull/2854