On 1 March 2011 18:00, Daniel Kahn Gillmor <[email protected]> wrote: > On 03/01/2011 11:50 AM, Melvin Carvalho wrote: >> Why not use the same key pair to generate an X.509 cert and a GPG key, >> and have the best of both worlds? > > Sure, you can generate an arbitrary number of X.509 certificate requests > from a given key, whether or not that key has been used to create an > OpenPGP certificate. Who will sign those certificate requests? Which > certifiers should the FreedomBox trust? > > The question for this list is whether FreedomBox should be relying on > X.509 certificates for authentication, or whether it should prefer a > certificate model that was designed from the ground up to be > decentralized (as OpenPGP is). > > I have no objections to using X.509 certificates as simple, "dummy" > public-key carriers (as soon as i can find the time, i hope to publish > some work that encourages this use case, in fact). > > But I do have a strong objection to contaminating the Freedom Box with > the flawed certificate authority model currently used by the > "widely-adopted" mass of X.509 software.
Self sign your X.509 and you dont need a CA. > >> I think the GNOME keyring is doing some unification work in this area. > > i'd be interested to see a pointer to this work. http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf > > --dkg > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss > > _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
