Thanks for getting this integrated Amir, privacy on the wire is a
necessary piece in the anonymity puzzle!

There needs to be a mechanism for publication of server public keys.
Adding this field to the published list of Obelisk servers
<https://wiki.unsystem.net/index.php/Obelisk/Servers> would be a good
start.

When it comes to client implementation I would expect that a client
would maintain its whitelist of servers (i.e. those for which it has
public keys) and not typically utilize a persistent keypair (i.e.
would remain anonymous to the server) - as in scenario 3 from the
CurveZMQ docs:

"Where the server does not check client keys at all. In this case the
clients can be certain they are talking securely to the correct
server, but the server will accept connections from any client. This
fits the conventional Internet model where a browser talks securely to
a website to place and order and send credit card information."

This would also mean that the server whitelist of clients would not be
typically utilized by a public server.

e

On 03/12/2014 10:14 AM, Amir Taaki wrote:
> Hey, The new Obelisk has support for server-client encryption and
> signing using ed25519 crypto. The client can specify a key, and
> the server can specify which client pubkeys it will accept (or all)
> and a whitelist of IP addresses.
>
> See this config file for reference:
>
> https://github.com/spesmilo/obelisk/blob/master/src/worker/worker.cfg#L24