docs: document relay trust boundary
The plan explicitly calls out that the MVP relay sees plaintext Ethernet frames because it terminates QUIC for every peer connection. Document that boundary in the README so operators and future security work do not infer end-to-end payload privacy from QUIC alone. Also state the intended future direction: room-key payload encryption should keep the relay routing header visible while encrypting Ethernet payload bytes between clients and the LAN gateway. Test Plan: - git diff --check Refs: PLAN.md
This commit is contained in:
@@ -123,6 +123,18 @@ When a peer joins or leaves, the relay sends a reliable lifecycle control event
|
||||
to peers that are still present in the room. Newly joined peers also receive
|
||||
`PeerJoined` events for peers that were already present.
|
||||
|
||||
### MVP Trust Model
|
||||
|
||||
The MVP relay terminates QUIC for every client and gateway connection. QUIC
|
||||
protects traffic on the public network path, but the relay process sees
|
||||
plaintext Ethernet frames while forwarding them between peers in a room. That is
|
||||
acceptable for the first LAN-party proof, where the relay is an operator-trusted
|
||||
component, but it is not end-to-end encrypted.
|
||||
|
||||
Future room-key payload encryption should keep the relay-visible routing header
|
||||
small and leave only Ethernet payload bytes encrypted end-to-end between clients
|
||||
and the LAN gateway.
|
||||
|
||||
## Gateway
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user