On 1 March 2011 18:23, Daniel Kahn Gillmor <[email protected]> wrote: > On 03/01/2011 12:08 PM, Melvin Carvalho wrote: >> On 1 March 2011 18:00, Daniel Kahn Gillmor <[email protected]> wrote: >>> I have no objections to using X.509 certificates as simple, "dummy" >>> public-key carriers (as soon as i can find the time, i hope to publish >>> some work that encourages this use case, in fact). >>> >>> But I do have a strong objection to contaminating the Freedom Box with >>> the flawed certificate authority model currently used by the >>> "widely-adopted" mass of X.509 software. >> >> Self sign your X.509 and you dont need a CA. > > Right; thereby discarding the flawed CA model, and using the certificate > as a dummy public-key carrier. The problem with this is that we still > have no way of verifying/revoking these keys. This is where the > certificate format comes in, and is the place i think FreedomBox should > use OpenPGP.
This is a very good point. But actually there is a way in the case of the Freedom Box, because you have the advantage of controlling your own server. Since you are already running a webserver and (hopefully) have control of your DNS. You can provide a two-way verification chain. 1. Your Person Profile publishes your public key. (this is a few lines of html5, should be easy) 2. Point your self-signed X.509 to your Freedom Box profile. This can be done by putting an entry in the SubjectAltName field of the cert, a common technique. This provides strong verification for all the X.509 tool chain and means you can talk security to any server using SSL/TLS which is most of them, providing strong authentication as a side product. > >>>> I think the GNOME keyring is doing some unification work in this area. >>> >>> i'd be interested to see a pointer to this work. >> >> http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf > > thanks, i'm glad to see that they're on the right track. pkcs#11 is > good for handling secret keys. unfortunately, the library spec is > pretty weak for dealing with alternate certification mechanisms. I'll > get in touch with these folks to see if there's a way to collaborate. > > --dkg > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss > > _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
