X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Fsimilar.mdwn;h=ae3f728a610fc9302f6bdbf2e6619ec28ed2ce7d;hb=8308d8f9ae389c514ddd08a805fe7b07b989342d;hp=5bfd4b2b4ff981b0d79b76061ebbd071df40a29a;hpb=640c122ce3bbd25139fb39cdd1312ac4c842665f;p=monkeysphere.git

diff --git a/website/similar.mdwn b/website/similar.mdwn
index 5bfd4b2..ae3f728 100644
--- a/website/similar.mdwn
+++ b/website/similar.mdwn
@@ -5,6 +5,8 @@ The monkeysphere isn't the only project intending to implement a PKI
 for OpenSSH.  We provide links to these other projects because they're
 interesting, though we have concerns with their approaches.
 
+[[toc ]]
+
 All of the other projects we've found so far require a patched version
 of OpenSSH, which makes adoption more difficult.  Most people don't
 build their own software, and simply overlaying a patched binary is
@@ -69,7 +71,8 @@ Some concerns with the Perspectives OpenSSH client:
 
  * This client won't help if you are connecting to machines behind
    firewalls, on NAT'ed LANs, with source IP filtering, or otherwise
-   in a restricted network state.
+   in a restricted network state, because the notaries won't be able
+   to reach it.
 
  * There is still a question of why you should trust these particular
    notaries during your verification.  Who are the notaries?  How
@@ -83,6 +86,17 @@ Some concerns with the Perspectives OpenSSH client:
  * It doesn't provide any mechanism for key rotation or revocation:
    Perspectives won't help you if you need to re-key your machine.
 
+ * The most common threat which Perspectives protects against (a
+   narrow MITM attack, e.g. the attacker controls your gateway) often
+   coincides with the ability of the attacker to filter arbitrary
+   traffic to your node.  But in this case, the attacker could filter
+   out your traffic to the notaries (or the responses from the
+   notaries).  Such filtering (rejecting unknown UDP traffic, as
+   Perspectives appears to use UDP port 15217) is unfortunately
+   common, particuarly on public networks, even when the gateway is
+   not malicious.  This reduces the utility of the Perspectives
+   approach.
+
 ## OpenSSH with X.509v3 certificates ##
 
 Roumen Petrov [maintains a patch to OpenSSH that works with the X.509