[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] Re: Enquiries about the "monotone" architecture and sec
[Monotone-devel] Re: Enquiries about the "monotone" architecture and security features
Fri, 28 May 2004 10:50:33 -0400
Mozilla Thunderbird 0.5 (X11/20040208)
sorry for disturb you again. i want to know the underlying architecture of "monotone".
it's ok, but I will forward this email to our mailing list; this way
more people can see the discussion we are having.
what kind of architecture are you implement for "monotone"?
distributed, decentralized, serverless. there is no central point of
failure, trust, or communication, and no difference between clients and
can you send me the picture of this architecture? so that i'm easy to figure
out what you have explain.
i still want to ask something about your "monotone" security. how the
cryptography name and RSA implementation can authenticate the source code is genuine? and
how these security is integrated into your system to provide more security features? is
there any diagram explaining this? if no, can you draw the diagram and send it to me?
sorry for too much request.
"authentic" source code is a somewhat misleading concept. an RSA
certificate suggests that the holder of a particular key has attested to
a particular fact about some source code (say, approved it) but that
doesn't mean that the source code *is* or *is not* "authentic" in any
universal sense. all an RSA signature means is that you have some
evidence that some person made some statement. the statement might be a
lie, or your evidence might be false (say the key was stolen), or both.
that is all RSA can help you with, and it's all we provide. there is a
limit to these things in the practical world.
i also would like to know the differences between "monotone" and "OpenCM" system in term of the security feature and the underlying architecture implementation.
the underlying difference is centralization. OpenCM manages a canonical,
central repository, with developer databases reflecting the state of the
canonical repository. monotone manages only developer's databases. users
flood changes to one another, out of order, with no locking or
serialization. monotone offers tools to help manage the divergence which
will occur under that model, but tolerates divergence when it happens.
as far as i know is that OpenCM also implementing the SHA1 and RSA for security purpose. but i don't know what is the differences between "monotone" compare to "OpenCM" system in term of this two aspects.
RSA and SHA1 are just security tools; they have no specific mode of use
required. I haven't studied it in depth, but I guess that OpenCM uses
SHA1 to verify file integrity between clients and server, and RSA to
verify client identity. monotone uses SHA1 to calculate entity names
(files, manifests) and RSA to form certificates which describe metadata
(such as history) from the varying perspectives of each user. monotone
and openCM are quite different.
|[Prev in Thread]
||[Next in Thread]|
- [Monotone-devel] Re: Enquiries about the "monotone" architecture and security features,
graydon hoare <=