On Sun, Aug 12, 2007 at 05:15:27PM +0200, Rado S wrote: > - "Client blessing is pointless, since we have not TCA." > What is TCA? Trusted Computing Architecture. My mistake, not a common enough term. Instead, use the term Trusted Computing (TC) and the Trusted Platform Module (TPM). The current RSA based client program verification scheme used by Netrek is trivial to defeat. Upon analysis, the reason for this is that the attacker (user) is in direct control of the hardware on which the program runs, and can simply modify the instructions being executed. There is nothing to prevent or detect this. TC and TPM would detect this. Further, such modifications can be automated and distributed rapidly over the internet. That we have not seen many only indicates that the market is small; there are so few Netrek players. If growth occurs, the problem will be enlarged. Social controls fail when social structure is changed. > When it's pointless, why require or even check for > registered clients on "continuum"? Continuum currently does not require that a client's RSA key be valid. [CONFIRM=0 in etc/sysdef] > (or are metas reporting wrong R flag?) The metaservers are indeed reporting a static value, indicating whether a server supports RSA validation by nature of it being compiled with the necessary program code. [ntserv/solicit.c isrsa++] > R: "Means that this server supports (and may REQUIRE) RSA validation." Continuum is complying with that definition. The server supports, and may require, RSA validation. The word "may" in this context can mean either "has permission to" or "might". -- James Cameron mailto:quozl at us.netrek.org http://quozl.netrek.org/