I should point out that I am aware of the following (http://www.adcportal.com/forums/viewtop ... f=33&t=425):darkKlor wrote:Another comment on using a single certificate for all hubs a user connects to (this applies to CIDs just the same): it is an information disclosure vulnerability, because you can reasonably expect that a public key only exists once. If you see a user on two hubs, with two different nicknames and IP's (e.g. they connect to one hub via a proxy, but not the other hub), but they have a common public key (or CID), then you know them to be the same user.
If, for registered users, the hub issues the user with a hub-signed certificate, specifically for that hub, and (borrowing from DJ_Offset's suggestions) the registered user's CID is a hash of that certificate (not the public key, because anyone can get that, potentially), then the hub knows who the user is, and their registered CID on that hub will not match their CID on another hub (registered or otherwise).
Nobody seems to implement a PM per user feature, it's all per hub... but anyway... The purpose of using a hash of the hub-specific certificate as the CID is to protect the user's identity (in a secure hub) from being revealed in another hub (secure or otherwise; it has different ownership). There is no issue for downloading because clients use SCH to look for matching hashes on each hub. It is true that you cannot tell if you are downloading off exactly the same person (maybe you really like their stuff), unless you see both the file lists look the same of course; however, once clients finally support multiple file lists, you will be incapable of telling that it is the same person (without human interaction).Pietry wrote:On of the NMDC flaws that is addressed by the CID / PID pair is the following: One could not identify a certain fellow user on different hubs. This way, the same user could leech from you on every hub you were both connected. Also, you could have a PM session with the same user on every hub as well.
The other thread I referenced is worth taking a look at too, DJ_Offset raises many valid points about PID/CIDs.