Publish threat model and refresh native v1 docs
Add docs/THREAT_MODEL.md deriving a publishable threat model from NATIVE_V1_SPEC.md sections 4-6: assets, in/out-of-scope attackers, security properties vs SSH (including where Dosh aims to exceed it), cryptographic building blocks as implemented, and an honest accepted-residual-risks / known-gaps section. Refresh docs/PUBLIC_READINESS.md: feature matrix now reflects native auth, host-key trust, authorized_keys policy, doctor, and -L/-R/-D forwarding; add a per-item "Native v1 verification checklist status" table mapping spec section 16 to done/in-progress/pending from code. Update README.md status with a native v1 section and honest claim posture pointing to THREAT_MODEL.md. Annotate NATIVE_V1_SPEC.md with a v1 status block summarizing milestone progress. Point SPEC.md security model and header at native auth and the threat model. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,30 @@
|
||||
# Dosh Native v1 Spec
|
||||
|
||||
> **v1 status (annotation, not part of the spec text below).** Native v1 is
|
||||
> substantially implemented and being stabilized; it is not yet fully verified.
|
||||
> Milestone progress against section 15:
|
||||
>
|
||||
> - Milestone 1 — host identity and trust: **done.** Host key generation, `dosh trust`,
|
||||
> `known_hosts`, and mismatch hard-fail are implemented.
|
||||
> - Milestone 2 — native user auth: **done.** `ClientHello`/`ServerHello`/`UserAuth`/
|
||||
> `AuthOk`, ssh-agent and encrypted-key Ed25519, and `authorized_keys` verification
|
||||
> exist. ECDSA/RSA user keys are still pending (Ed25519 only today).
|
||||
> - Milestone 3 — default native auth: **done.** `auth_preference = "native,ssh"` is
|
||||
> the default with explicit, visible SSH fallback. Cold-auth benchmark gates are
|
||||
> pending (Track C / `BENCHMARKS.md`).
|
||||
> - Milestone 4 — forwarding: **done.** Stream mux, `-L`, `-R`, `-D`, `-N`, `-f`, and
|
||||
> per-stream flow control are implemented; hostile-network and load tests pending.
|
||||
> - Milestone 5 — hardening: **in progress.** Full per-IP token-bucket rate limiting,
|
||||
> protocol VERSION negotiation hardening, fuzzing in CI, and external review are not
|
||||
> yet complete. The threat model is published (`docs/THREAT_MODEL.md`).
|
||||
> - Milestone 6 — workflow parity: **mostly done.** `dosh doctor`, host-trust
|
||||
> management, and the encrypted-key prompt flow exist; cross-OS daily-driver soak is
|
||||
> ongoing.
|
||||
>
|
||||
> The section 16 verification checklist is **not yet fully green** — see the
|
||||
> item-by-item status table in `docs/PUBLIC_READINESS.md` and the residual-risk list in
|
||||
> `docs/THREAT_MODEL.md`. The section 17 public-claim gate is therefore **not met**.
|
||||
|
||||
Native Dosh is a remote-login protocol for Dosh-installed servers. It is intended to
|
||||
replace the user's day-to-day `ssh host` workflow for terminals and forwarding while
|
||||
keeping SSH as a compatibility and recovery fallback.
|
||||
|
||||
Reference in New Issue
Block a user