key managment roadmap

[Rob Townley]

On Tue, Feb 22, 2011 at 5:38 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Tue, Feb 22, 2011 at 11:48:15AM +0100, Claudio wrote:
>
>> Here in Rome with other friends of mine we extensively used tinc-vpn
>> as backend layer of our network, now we need a clever key management
>> of the keys to meet our goals.
>> Now ZioProto (that Guus meet at FOSDEM) says to me that something is
>> going to be developed in this area, so I like to know what kind of
>> ideas are on the roadmap.
>
> http://tinc-vpn.org/goals/ (scroll down to "Plans for tinc 2.0")
> http://tinc-vpn.org/git/fides/ (for the code, that should be merged with tinc)
>
> If you have questions, comments or other ideas about how to do this, let us
> know!
>
> --
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAk1joEYACgkQAxLow12M2nvDzQCfStXcIfbemL9T7eEqKuV+MXSp
> PQ0An2mhJokc850eBv/bSp2Xq0ZXIE9u
> =vKxX
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>


Is the git entry "Update to a somewhat usable version" from more than
a year ago actually mean this is pretty stable now?
Please warn about any funny shaped soundwaves:)

if you can accept a somewhat more centralized vpn, it should work to
have a central node host a DNS server listening only on its tinc ip
address.  There are different dns records that can store certificates
and SRV records that can dynamically store port numbers.  On paper, it
seems that a dns server and changes to the tinc clients would be all
that is needed.  Distribute the host file for the DNS server to each
client, the remaining certificates would come from the DNS server.
I had other performance problems with running tinc to ever try out
these changes.