On Thu, Sep 12, 2013 at 01:20:13PM +0100, Philip Hands wrote: > Eugen Leitl <[email protected]> writes: > > > On Thu, Sep 12, 2013 at 11:43:28AM +0100, Keith wrote: > >> Anyone for setting up a Freedombox CA? > >> This could be added to the freedombox as a trusted CA and usable for > >> freedombox to freedombox TLS only. > > > > A CA appears counterproductive. End users should use > > self-signed certs, or each Freedombox issue contain > > their own CA.
That's be a wise choice, considering how governments can easily ask a valid certificate for any domain to commercial CAs. Or even issue them themselves. Then, it's easy to do a MITM. But... > It seems that the problem you're discussing is the one that that > monkeyshere has already addressed quite nicely: > > http://web.monkeysphere.info/ > I believe there are two different issues to address: * Inside the freedombox network. Much is possible in this area, going further in good SSL/TLS use with client certs and all. Here monkeysphere would be very useful, to bind SSL/TLS certs to OpenPGP keys. * Outside the freedombox network, for people that want to send an email to a freedombox owner, or browse her blog. Here the commercial CA limitation is much more hard to ignore, as it is the de facto standard and there are no real widely deployed workaround to commercial CA. Concerning the last case, in the end, the question might be : "Do freedombox want to push in the outside more secure TLS communication by requiring people from the outside to use new tools? Or do Freedombox want to be easily accessible from the outside without requiring people to install and understand new technologies, possibly loosing attention from those who won't ever do this step? By the way, CAcert.org would work only out of the box for people running Debian. Otherwise people will have to install their CA certificate in the system. On the "strong ciphers vs software configuration", ioerror published an interesting repo on github with some sample configurations and advices to sysadmins: https://github.com/ioerror/duraconf Worth reading and checking her conf accordingly. Bert. _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
