diff --git a/docs/index.md b/docs/index.md index 62a1463..bbb3480 100644 --- a/docs/index.md +++ b/docs/index.md @@ -145,4 +145,4 @@ worth, probably several screens. - [How to do VPNs right](how_to_do_VPNs.html) - [How to prevent malware](safe_operating_system.html) - [The cypherpunk program](cypherpunk_program.html) -- [Replacing TCP and UDP](replacing_TCP.html) +- [Replacing TCP and UDP](names/TCP.html) diff --git a/docs/libraries.md b/docs/libraries.md index bf431d8..8532d3b 100644 --- a/docs/libraries.md +++ b/docs/libraries.md @@ -833,7 +833,7 @@ which could receive a packet at any time. I need to look at the GameNetworkingSockets code and see how it listens on lots and lots of sockets. If it uses [overlapped IO], then it is golden. Get it up first, and it put inside a service later. -[Overlapped IO]:client_server.html#the-select-problem +[Overlapped IO]:server.html#the-select-problem {target="_blank"} The nearest equivalent Rust application gave up on congestion control, having programmed themselves into a blind alley. diff --git a/docs/names/replacing_TCP.md b/docs/names/TCP.md similarity index 99% rename from docs/names/replacing_TCP.md rename to docs/names/TCP.md index 4cee798..8fc471f 100644 --- a/docs/names/replacing_TCP.md +++ b/docs/names/TCP.md @@ -91,7 +91,7 @@ ECN tagged packets are dropped Raw sockets provide greater control than UDP sockets, and allow you to do ICMP like things through ICMP. -I also have a discussion on NAT hole punching, [peering through nat](peering_through_nat.html), that +I also have a discussion on NAT hole punching, [peering through nat](nat.html), that summarizes various people's experience. To get an initial estimate of the path MTU, connect a datagram socket to diff --git a/docs/names/name_system.md b/docs/names/names.md similarity index 73% rename from docs/names/name_system.md rename to docs/names/names.md index 27a6960..59f1872 100644 --- a/docs/names/name_system.md +++ b/docs/names/names.md @@ -11,10 +11,10 @@ to its name server, which will henceforth direct people to that wallet. If the wallet has a network accessible tcp and/or UDP address it directs people to that address (one port only, protocol negotiation will occur once the connection is established, rather than protocols being defined by the port -number). If not, will direct them to a UDT4 rendevous server, probably itself. +number). If not, will direct them to a UDT4 rendezvous server, probably itself. We probably need to support [uTP for the background download of bulk data]. -This also supports rendevous routing, though perhaps in a different and +This also supports rendezvous routing, though perhaps in a different and incompatible way, excessively married to the bittorrent protocol.We might find it easier to construct our own throttling mechanism in QUIC, accumulating the round trip time and square of the round trip time excluding @@ -205,6 +205,129 @@ hosting your respectable username that you do not use much. We also need a state religion that makes pretty lies low status, but that is another post. +#True Names and TCP + +Vernor Vinge [made the point](http://www.amazon.com/True-Names-Opening-Cyberspace-Frontier/dp/0312862075) that true names are an instrument of +government oppression. If the government can associate your true name +with your actions, it can punish you for those actions. If it can find the true +names associated with a transaction, it is a lot easier to tax that transaction. + +Recently there have been moves to make your cell phone into a wallet. A +big problem with this is that cell phone cryptography is broken. Another +problem is that cell phones are not necessarily associated with true names, +and as soon as the government hears that they might control money, it +starts insisting that cell phones *are* associated with true names. The phone +companies don’t like this, for if money is transferred from true name to +true name, rather than cell phone to cell phone, it will make them a servant +of the banking cartel, and the bankers will suck up all the gravy, but once +people start stealing money through flaws in the encryption, they will be +depressingly grateful that the government can track account holders down +and punish them – except, of course, the government probably will not be +much good at doing so. + +TCP is all about creating connections.  It creates connections between +network addresses, but network addresses correspond to the way networks +are organized, not the way people are organized, so on top of networks we +have domain names. + +TCP therefore establishes a connection *to* a domain name rather than a +mere network address – but there is no concept of the connection coming +*from* anywhere humanly meaningful. + +Urns are “uniform resource names”, and uris are “uniform resource identifiers” and urls are “uniform resource locators”, and that is what the +web is built out of.  + +There are several big problems with urls: + +1. They are uniform: Everyone is supposed to agree on one domain + name for one entity, but of course they don’t.  There is honest and + reasonable disagreement as to which jim is the “real” jim, because + in truth there is no one real jim, and there is fraud, as in lots of + people pretending to be Paypal or the Bank of America, in order to + steal your money. + +2. They are resources: Each refers to only a single interaction, but of + course relationships are built out of many interactions.  There is no + concept of a connection continuing throughout many pages, no + concept of logon.  In building urls on top of TCP, we lost the + concept of a connection.  And because urls are built out of TCP + there is no concept of the content depending on both ends of the + connection – that a page at the Bank might be different for Bob than + it is for Carol – that it does in reality depend on who is connected is + a kluge that breaks the architecture. + + Because security (ssl, https) is constructed below the level of a + connection, because it lacks a concept of connection extending + beyond a single page or a single url, a multitude of insecurities + result. We want https and ssl to secure a connection, but https and + ssl do not know there are such things as logons and connections. + +That domain names and hence urls presuppose agreement, agreement +which can never exist, we get cybersquatting and phishing and +suchlike. + +That connections and logons exist, but are not explicitly addressed by the +protocol leads to such attacks as cross site scripting and session fixation. + +A proposed fix for this problem is yurls, which apply Zooko’s triangle to +the web: One adds to the domain name a hash of a rule for validating the +public key, making it into Zooko’s globally unique identifier.  The +nickname (non unique global identifier) is the web page title, and the +petname (locally unique identifier) is the title under which it appears in +your bookmark list, or the link text under which it appears in a web page. + +This, however, breaks normal form.  The public key is an attribute of the +domain, while the nickname and petnames are attributes of particular web +pages – a breach of normal form related to the loss of the concept of +connection – a breach of normal form reflecting the fact that that urls +provide no concept of a logon, a connection, or a user.   + +OK, so much for “uniform”.  Instead of uniform identifiers, we should +have zooko identifiers, and zooko identifiers organized in normal form. +But what about “resource”, for “resource” also breaks normal form. + +Instead of “resources”, we should have “capabilities”.  A resource +corresponds to a special case of a capability, a resource is a capability +that that resembles a read only file handle. But what exactly are "capabilities”? + +People with different concepts about what is best for computer security +tend to disagree passionately and at considerable length about what the +word “capability” means, and will undoubtedly tell me I am a complete +moron for using it in the manner that I intend to use it, but barging ahead anyway: + +A “capability” is an object that represents one end of a communication +channel, or information that enables an entity to obtain such a channel, or +the user interface representation of such a channel, or such a potential +channel. The channel enables the possessor of the capability to do stuff to +something, or get something.  Capabilities are usually obtained by being +passed along the communication channel. Capabilities are usually +obtained from capabilities, or inherited by a running instance of a program + when the program is created, or read from storage after originally being + obtained by means of another capability. + +This definition leaves out the issue of security – to provide security, +capabilities need to be unforgeable or difficult to guess.  Capabilities are +usually defined with the security characteristics central to them, but I am +defining capabilities so that what is central is connections and managing +lots of potential connection.  Sometimes security and limiting access is a +very important part of management, and sometimes it is not. + +A file handle could be an example of a capability – it is a communication +channel between a process and the file management system.  Suppose we +are focussing on security and access management to files: A file handle +could be used to control and manage permissions if a program that has the +privilege to access certain files could pass an unforgeable file handle to +one of those files to a program that lacks such access, and this is the only +way the less privileged program could get at those files. + +Often the server wants to make sure that the client at one end of a +connection is the user it thinks it is, which fits exactly into the usual +definitions of capabilities.  But more often, the server does not care who +the client is, but the client wants to make sure that the server at the other +end of the connection is the server he thinks it is, which, since it is the +client that initiates the connection, does not fit well into many existing +definitions of security by capabilities. + # Mapping between globally unique human readable names and public keys The blockchain provides a Merkle-patricia dac of human readable names. Each diff --git a/docs/names/peering_through_nat.md b/docs/names/nat.md similarity index 98% rename from docs/names/peering_through_nat.md rename to docs/names/nat.md index 883dd11..b4d110a 100644 --- a/docs/names/peering_through_nat.md +++ b/docs/names/nat.md @@ -4,11 +4,11 @@ title: Peering through NAT ... A library to peer through NAT is a library to replace TCP, the domain name system, SSL, and email. This is covered at greater length in -[Replacing TCP](replacing_TCP.html) +[Replacing TCP](TCP.html) # Implementation issues -There is a great [pile of RFCs](./replacing_TCP.html) on issues that arise with using udp and icmp +There is a great [pile of RFCs](TCP.html) on issues that arise with using udp and icmp to communicate. ## timeout diff --git a/docs/names/client_server.md b/docs/names/server.md similarity index 98% rename from docs/names/client_server.md rename to docs/names/server.md index 324d1e2..9356db0 100644 --- a/docs/names/client_server.md +++ b/docs/names/server.md @@ -1,24 +1,24 @@ --- -title: Client Server Data Representation +title: Server Data Representation ... # related -[Replacing TCP, SSL, DNS, CAs, and TLS](replacing_TCP.html){target="_blank"} +[Replacing TCP, SSL, DNS, CAs, and TLS](TCP.html){target="_blank"} -# clients and hosts, masters and slaves +# clients and hosts, masters and servers -A slave does the same things for a master as a host does for a client. +A server does the same things for a master as a host does for a client. -The difference is how identity is seen by third parties. The slaves identity -is granted by the master, and if the master switches slaves, third parties +The difference is how identity is seen by third parties. The servers identity +is granted by the master, and if the master switches servers, third parties scarcely notice. It the same identity. The client's identity is granted by the host, and if the client switches hosts, the client gets a new identity, as for example a new email address. If we use [Pake and Opaque](libraries.html#opaque-password-protocol) for client login, then all other functionality of the server is unchanged, regardless of whether the server is a host or a -slave. It is just that in the client case, changing servers is going to change +server. It is just that in the client case, changing servers is going to change your public key. Experience with bitcoin is that a division of responsibilities, as between Wasabi wallet and Bitcoin core, is the way to go - that the peer to peer networking functions belong in another process, possibly running on @@ -31,16 +31,18 @@ desires, and contradictory functions. Ideally one would be in a basement and generally turned off, the other in the cloud and always on. Plus, I have come to the conclusion that C and C++ just suck for -networking apps. Probably a good idea to go Rust for the slave or host. +networking apps. Probably a good idea to go Rust for the server or host. The wallet is event oriented, but only has a small number of concurrent -tasks. A host or slave is event oriented, but has a potentially very large +tasks. A host or server is event oriented, but has a potentially very large number of concurrent tasks. Rust has no good gui system, there is no wxWidgets framework for Rust. C++ has no good massive concurrency system, there is no Tokio for C++. -Where do we put the gui for controlling the slave? In the master, of +Where do we put the gui for controlling the server? In the master, of course. +Where do we put the networking stuff? in the server. + # the select problem To despatch an `io` event, the standard is `select()`. Which standard sucks @@ -102,7 +104,7 @@ Linux people recommended a small number of threads, reflecting real hardware thr I pray that that wxWidgets takes care of mapping windows asynchronous sockets to their near equivalent functionality on Linux. -But writing a server/host/slave for Linux is fundamentally different to +But writing a server/host/server for Linux is fundamentally different to writing one for windows. Maybe we can isolate the differences by having pure windows sockets, startup and shutdown code, pure Linux sockets, startup and shutdown code, having the sockets code stuff data to and from diff --git a/docs/names/true_names_and_TCP.md b/docs/names/true_names_and_TCP.md deleted file mode 100644 index c6d51c9..0000000 --- a/docs/names/true_names_and_TCP.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -lang: en -title: True Names and TCP ---- -Vernor Vinge [made the point](http://www.amazon.com/True-Names-Opening-Cyberspace-Frontier/dp/0312862075) that true names are an instrument of -government oppression. If the government can associate -your true name with your actions, it can punish you for -those actions. If it can find the true names associated -with a transaction, it is a lot easier to tax that -transaction. - -Recently there have been moves to make your cell phone -into a wallet. A big problem with this is that cell -phone cryptography is broken. Another problem is that -cell phones are not necessarily -associated with true names, and as soon as the government hears -that they might control money, it starts insisting that cell phones -*are* associated with true names. The phone companies don’t like -this, for if money is transferred from true name to true name, rather -than cell phone to cell phone, it will make them a servant of the -banking cartel, and the bankers will suck up all the gravy, but once -people start stealing money through flaws in the encryption, they -will be depressingly grateful that the government can track account -holders down and punish them – except, of course, the government -probably will not be much good at doing so. - -TCP is all about creating connections.  It creates connections between network addresses, but network addresses correspond to -the way networks are organized, not the way people are organized, -so on top of networks we have domain names. - -TCP therefore establishes a connection *to* a domain name rather -than a mere network address – but there is no concept of the -connection coming *from* anywhere humanly meaningful. - -Urns are “uniform resource names”, and uris are “uniform resource identifiers” and urls are “uniform resource locators”, and that is what the web is built out of.  - -There are several big problems with urls: - -1. They are uniform: Everyone is supposed to agree on one domain name for one entity, but of course they don’t.  There is honest and reasonable disagreement as to which jim is the “real” jim, becaŭse in truth there is no one real jim, and there is fraŭd, as in lots of people pretending to be Paypal or the Bank of America, in order to steal your money. - -2. They are resources: Each refers to only a single interaction, - but of course relationships are built out of many - interactions.  There is no concept of a connection continuing - throughout many pages, no concept of logon.  In building - urls on top of TCP, we lost the concept of a connection.  And - because urls are built out of TCP there is no concept of the - content depending on both ends of the connection – that a - page at the Bank might be different for Bob than it is for - Carol – that it does in reality depend on who is connected is - a kluge that breaks the architecture. - - Because security (ssl, https) is constructed below the level of - a connection, because it lacks a concept of connection - extending beyond a single page or a single url, a multitude of - insecurities result. We want https and ssl to secure a - connection, but https and ssl do not know there are such - things as logons and connections. - -That domain names and hence urls presuppose agreement, agreement -which can never exist, we get cybersquatting and phishing and -suchlike. - -That connections and logons exist, but are not explicitly addressed -by the protocol leads to such attacks as cross site scripting and -session fixation. - -A proposed fix for this problem is yurls, which apply Zooko’s -triangle to the web: One adds to the domain name a hash of a rule -for validating the public key, making it into Zooko’s globally unique -identifier.  The nickname (non unique global identifier) is the web -page title, and the petname (locally unique identifier) is the title -under which it appears in your bookmark list, or the link text under -which it appears in a web page. - -This, however, breaks normal form.  The public key is an attribute of the domain, while the nickname and petnames are attributes of particular web pages – a breach of normal form related to the loss of the concept of connection – a breach of normal form reflecting the fact that that urls provide no concept of a logon, a connection, or a user.   - -OK, so much for “uniform”.  Instead of uniform identifiers, we -should have zooko identifiers, and zooko identifiers organized in -normal form.  But what about “resource”, for “resource” also breaks -normal form. - -Instead of “resources”, we should have “capabilities”.  A resource -corresponds to a special case of a capability, a resource is a -capability that that resembles a read only file handle. But what -exactly are “capabilities”? - -People with different concepts about what is best for computer security tend to disagree passionately and at considerable length about what the word “capability” means, and will undoubtedly tell me I am a complete moron for using it in the manner that I intend to use it, but barging ahead anyway: - -A “capability” is an object that represents one end of a -communication channel, or information that enables an entity to -obtain such a channel, or the user interface representation of such a -channel, or such a potential channel. The channel enables the -possessor of the capability to do stuff to something, or get -something.  Capabilities are usually obtained by being passed along -the communication channel. Capabilities are usually obtained from -capabilities, or inherited by a running instance of a program when -the program is created, or read from storage after originally being -obtained by means of another capability. - -This definition leaves out the issue of security – to provide security, capabilities need to be unforgeable or difficult to guess.  Capabilities are usually defined with the security characteristics central to them, but I am defining capabilities so that what is central is connections and managing lots of potential connection.  Sometimes security and limiting access is a very important part of management, and sometimes it is not. - -A file handle could be an example of a capability – it is a -communication channel between a process and the file -management system.  Suppose we are focussing on security and -access management to files: A file handle could be used to control -and manage permissions if a program that has the privilege to -access certain files could pass an unforgeable file handle to one of -those files to a program that lacks such access, and this is the only -way the less privileged program could get at those files. - -Often the server wants to make sure that the client at one end of a -connection is the user it thinks it is, which fits exactly into the usual -definitions of capabilities.  But more often, the server does not care -who the client is, but the client wants to make sure that the server -at the other end of the connection is the server he thinks it is, -which, since it is the client that initiates the connection, does not fit -well into many existing definitions of security by capabilities. diff --git a/docs/parsers.md b/docs/parsers.md index d80e6d5..9f2098d 100644 --- a/docs/parsers.md +++ b/docs/parsers.md @@ -74,7 +74,7 @@ polish order, thus implicitly executing a stack of run time typed operands, which eventually get compiled and eventually executed as just-in-time typed or statically typed operands and operators. -For [identity](identity.html), we need Cryptographic Resource Identifiers, +For [identity](names/identity.html), we need Cryptographic Resource Identifiers, which cannot conform the “Universal” Resource Identifier syntax and semantics. Lexers are not powerful enough, and the fact that they are still used