Raphaël wrote:
> I don't think that you're speaking of the same thing. I see no
> information about "X.509 client certificates" in Monkeysphere. It
> offers ways to validate the server certificate (if it's not signed by
> known CA) but it doesn't seem to offer any solution to manage client
> certificate.
There actually is functional TLS client-side cert validation via the
monkeysphere (checking identities against the OpenPGP WoT while keeping
the bits on the wire as standard X.509), but it is in a development
branch of mod_gnutls (not yet part of an official release).
If either Bdale or I have signed your key (probably true for many DDs
i've met at various debconfs) you can follow the steps at:
https://demo.monkeysphere.info/
to see it in action. That demo is currently configured to rely on
myself and bdale as certifying authorities, but the mechanism can be
configured with arbitrary authorities (including using gpg's concept of
marginal ownertrust), depending on the administrator's preferred
configuration.
I'm hoping to get a new release of mod_gnutls out relatively soon that
should include this capability in an official release.
Regards,
--dkg
PS Please Cc me on any replies because i am currently too short on time
to drink directly from the firehose that is debian-devel :(
Attachment:
pgp0COPuZdsgL.pgp
Description: PGP signature