[Freedombox-discuss] Allied Efforts.
Paul Gardner-Stephen
paul at servalproject.org
Thu Oct 20 13:01:29 UTC 2011
Hello,
On Thu, Oct 20, 2011 at 7:13 PM, Michael Rogers <m-- at gmx.com> wrote:
> On 20/10/11 01:59, Paul Gardner-Stephen wrote:
>> One of the interesting challenges we are addressing with this is how
>> to secure the update process to prevent unlawful sabotaging of the
>> Serval network through seizing or reverse engineering the signing key.
>> I am happy to explain more of our thinking on this if there is
>> interest.
>
> Hi Paul,
>
> I'd be interested in hearing more about this if you have some time.
So the main approach we are planning on here is a voting system with a
pool of signing authorities.
Serval itself would be one of the signing authorities, and we are
actively seeking other open-source friendly organisations in different
countries to be other signing authorities.
Then for each release of the Serval software we would sign the Android
package, and then invite the other signing authorities to also sign
it.
The Serval software update process would require each update to be
signed by a majority of these authorities, thus preventing the capture
of the key from any one (or few) of the organisations being sufficient
to enable effective signing of a trojan update.
The idea of this is to prevent the illegitimate shutting down or
subversion of the Serval software via the automatic update proces,
such as what happened with LimeWire (although the comparison is not
exact, given that the primary functions of Serval are to facilitate
actions such as supporting the universal human right to freedom of
expression, and communication in the absence of supporting
infrastructure).
Paul.
More information about the Freedombox-discuss
mailing list