Should we be incorporating https://letsencrypt.org/ at the same time?
Adrian On Wed, Dec 16, 2015 at 4:53 PM, Marc Jones <mjo...@softwarefreedom.org> wrote: > Sunil and James, > > As we discussed before we want to get the SSL Client certificate auth > integrated into freedombox for the 0.8 release. I put a proposal in to > present a libreplanet in March and I think this would be a cool thing to > show off. > > To get there though we have some work because we are kind of blazing a > new trail. No one is doing anything like this right now. But I think it > will be a great foundation to doing more stuff because it is a first > step in having our freedomboxes know about PGP. (Maybe one day we can > use PGP to allow FBXs to exchange data with each other. FBX backups > perhaps!) > > To get this integrated I think we have all of the components we just > need to pick a plan for an initial implementation. James suggested we do > this as an experimental plinth module for 0.8. Which I think makes a lot > of sense because until we get mod_auth_env in debian that will have to > be installed manually. Plus I think this really is an experiment. > > There are lots of use cases based on weather or not the Freedombox owner > has a PGP key already, but I think if we assume that the FBX owner has a > PGP key already published in the WoT it makes our initial goal as simple > as it can be. In this case, I think we need to do the following things > at minimum to say we have this integrated in: > > 1) package up mod_auth_env to make it as simple as possible to install > by hand (DONE by James) > > 2) Create monkeysphere plinth module that will: > * turn on Client Cert Auth > * turn on mod-auth-env > * turn on modgnutls client cert support as optional > * turn on apache auth as optional > * run msva > * Allow user to add what PGP keys for MSVA to trust for > verification > purposes based on email or fingerprint published in WoT > > 3) modify plinth to recognize Apache Auth username, but only if > Mod_gnutls has verified the address. If there is not Apache Auth user > then Plinth operates as it does now. > > 4) Give instructions on how to convert your PGP key into a Client SSL > cert and load it into your browser > > > I think the Apache Auth configuration should for now make the Client > Cert option and the Apache user as optional so if no client cert is > present it just falls through to Plinths current internal auth. > > What do you guys think of this as a first step? This would let use set > up a freedombox that used SSL Client certs that you could let your > friends access. I am thinking eventually having the official project > website hosted on a freedombox that core devs can update by logging in > via SSL client certs or something. > > After this there should be some quick wins like monkeysphere based SSH > login, monkeysphere SSH key verification, making keys for users who dont > already have PGP certs, etc.... We might even be able to use > monkeysphere to provide authenticated SSL server certs for accessing > FBXs via Tor hidden addresses since you still cant get certificate > cartel SSL certs for .onion addresses. > > -Marc > > -- > Marc Jones > Counsel > Software Freedom Law Center > 1995 Broadway, 17th Floor > New York, NY 10023 > Tel: 212-461-1919 > Fax: 212-580-0898 > Email: mjo...@softwarefreedom.org > www.softwarefreedom.org > > _______________________________________________ > Freedombox-discuss mailing list > Freedombox-discuss@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > -- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss