On 09/12/2013 10:06 AM, Keith wrote:
After further thought:
With a CA on each freedombox we could have something like this
Create a CA using (options used could be changed)
openssl genrsa -des3 -out "Freedombox CA.key" 4096
openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
"Freedombox CA.pem"
Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
bits, could use 4096 bits if Postfix is the MTA used).
Include in Plinth an option for a freedom box to obtain ssl keys with
the Freedombox CA. No interface to an external website, openssl can do
this.
The public key of the Freedombox CA could be published, to be imported
into someone else's browser, could be a problem with multiple Freedombox
CA's with the same name.
Possibly a paranoid option to rotate the ssl keys on the freedom box
running manually and/or as a cron job (Now doing this daily with one of
my mailservers).
Hi Keith,
In short, the entire white-hat security community guessed what
"prohibitively expensive" meant. They guessed too low. Now we
know, and everyone (including the white-hats and the surveillance
industry) are scrambling to recover from the revelation.
Some are thinking of it as the tinfoil hats coming off. I think of it as
tinfoil hats appearing on every head of every person who has a device
connected to the internet. I like it that way because "paranoid" becomes
a synonym for "human", and all those previous "paranoid options" that
are cordoned off with scant documentation suddenly become "bad
human interfaces" which were prohibitively complicated to have actually
provided security or privacy to the user when it turned out that they
needed it.
So to me, "paranoid option" now either means a) core feature which should
be implemented cleanly, by default, or b) a dead coal mine canary that
says the
interface itself is too complicated, so start over and rethink it.
Best,
Jonathan
_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
