X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Fsimilar.mdwn;h=aef9c6f1147ca3cbce12f56abc2dcc11f033c6a8;hb=9fb7f481e3d09d3b3658cb78bd75c4910fff8c0a;hp=1a33b062430ff2caa46f9035a4a619554a29410b;hpb=948b21702fbeaf1874286bd9b0d7c27c37d55c2a;p=monkeysphere.git

diff --git a/website/similar.mdwn b/website/similar.mdwn
index 1a33b06..aef9c6f 100644
--- a/website/similar.mdwn
+++ b/website/similar.mdwn
@@ -1,5 +1,4 @@
-[[!template id="nav"]]
-[[meta title="Similar Projects"]]
+[[!meta title="Similar Projects"]]
 
 The monkeysphere isn't the only project intending to implement a PKI
 for OpenSSH.  We provide links to these other projects because they're
@@ -14,7 +13,8 @@ associated with significant maintenance (and therefore security)
 problems.  
 
 While ultimately contributing a patch to
-[OpenSSH](http://openssh.com/) (or any
+[OpenSSH](http://openssh.com/) (or 
+[any](http://mina.apache.org/sshd/)
 [free](http://www.chiark.greenend.org.uk/~sgtatham/putty/)
 [SSH](http://www.lysator.liu.se/~nisse/lsh/)
 [implementation](http://matt.ucc.asn.au/dropbear/dropbear.html)) is
@@ -71,7 +71,8 @@ Some concerns with the Perspectives OpenSSH client:
 
  * This client won't help if you are connecting to machines behind
    firewalls, on NAT'ed LANs, with source IP filtering, or otherwise
-   in a restricted network state.
+   in a restricted network state, because the notaries won't be able
+   to reach it.
 
  * There is still a question of why you should trust these particular
    notaries during your verification.  Who are the notaries?  How
@@ -85,6 +86,17 @@ Some concerns with the Perspectives OpenSSH client:
  * It doesn't provide any mechanism for key rotation or revocation:
    Perspectives won't help you if you need to re-key your machine.
 
+ * The most common threat which Perspectives protects against (a
+   narrow MITM attack, e.g. the attacker controls your gateway) often
+   coincides with the ability of the attacker to filter arbitrary
+   traffic to your node.  But in this case, the attacker could filter
+   out your traffic to the notaries (or the responses from the
+   notaries).  Such filtering (rejecting unknown UDP traffic, as
+   Perspectives appears to use UDP port 15217) is unfortunately
+   common, particuarly on public networks, even when the gateway is
+   not malicious.  This reduces the utility of the Perspectives
+   approach.
+
 ## OpenSSH with X.509v3 certificates ##
 
 Roumen Petrov [maintains a patch to OpenSSH that works with the X.509