Question about areas - Hadmut Danisch

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Hadmut Danisch <hadmut@danisch•de>
To: nncp-devel@lists.cypherpunks.su
Subject: Question about areas
Date: Wed, 24 Sep 2025 19:55:54 +0200	[thread overview]
Message-ID: <d95c4e02-064a-4e4d-a00a-f4390c1f5b99@danisch.de> (raw)

[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]

Hi,

a question about areas:

I recently tried to use areas (nncp 8.10.0, Ubuntu 24.04), and wanted to 
build something like

         A
     /      \

    B        C

  /  \      /  \

D    E   F      G

where A (sender only) sends  messages to an area with members B and C 
(without knowing about D,E,F,G), and B and C just forward (without 
reading the message) to  D,E , F, G, where B knows about members D and 
E, and C knows about F and G.

A is sender only,  B,C are keyless forwarders only,  and D,E,F,G are 
receivers  only and final recipients, thus need to have the secret keys. 
Only A is origin of messages.

I had expected that I have to give A only the public key of the area key 
set. But I got an error message, that A requires the secret key of the 
area as well. In constrast, the docs at 
http://www.nncpgo.org/Multicast.html tell, that B and C as pure 
fordwarders would not need to have any keys at all to just forward.

So my concern is: What does A need the secret key of the are for? Isn't 
that a security flaw, if A stores encrypted message until transport, but 
the keys as well? If I understand this correctly, when sending a message 
to an area on A, the message is first encrypted for the area (where it 
needs the public key for), but then immediately descrypted again by 
nncp-toss to redistribute.

But: What does A need to decrypt the message for, if forwarders B and C 
(or, in the example on http://www.nncpgo.org/Multicast.html, node B) 
don't need any keys at all just to forward a message to known members of 
the area. Why is sending and forwarding implemented differently?

I my eyes, it should be sufficient for node A to just have the public 
keys of the area to encrypt the message, and then forward it to members 
just like a keyless forwarder.

I do consider it as insecure, if node A, which is solely a sender to the 
area and not a member, needs to have the secret keys. E.g. on an email 
relay in a cloud, an attacker who get's access to the machine, can 
immediately decrypt all messages in the spool directory.

So my question is: Why does A require posession of the secret keys? What 
does it need them for, if forwarding is possible without keys?

Best regards

Hadmut

[-- Attachment #2: Type: text/html, Size: 3170 bytes --]

next             reply	other threads:[~2025-09-24 18:12 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-24 17:55 Hadmut Danisch [this message]
2025-09-25 15:16 ` Question about areas Sergey Matveev