[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] my summary of yesterday's Hackfest

On 1 March 2011 19:34, Jonas Smedegaard <dr at jones.dk> wrote:
> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>> But actually there is a way in the case of the Freedom Box, because you
>>>> have the advantage of controlling your own server.
>>>> Since you are already running a webserver and (hopefully) have control
>>>> of your DNS.
>>>> You can provide a two-way verification chain.
>>>> 1. Your Person Profile publishes your public key. ?(this is a few
>>>> lines of html5, should be easy)
>>>> 2. Point your self-signed X.509 to your Freedom Box profile. ?This can
>>>> be done by putting an entry in the SubjectAltName field of the cert, a
>>>> common technique.
>>>> This provides strong verification for all the X.509 tool chain and means
>>>> you can talk security to any server using SSL/TLS which is most of them,
>>>> providing strong authentication as a side product.
>>> This doesn't provide an adequate means of revocation, though. ?If an
>>> attacker gets control over your key, and is able to repoint DNS, then you
>>> cannot publish any revocation statement about this key through this channel.
>> If an attacker does gain these two points of control, and they knew what
>> they were doing, you could have an issue yes.
>> We need to scope out a revocation model, but I dont think it's that hard.
>> ?May already be something existing, I'll have a check.
> Without plauing with it yet myself, I blindly assumed Monkeysphere was
> usable for exactly this: use GPG web of trust to assure certificates.
>>> These two points are what i meant when i said that this model has "no way
>>> of verifying/revoking these keys".
>>> I'm sure you could graft something like this onto <X.509+your scheme
>>> above>; but OpenPGP already exists and handles these cases pretty well. ?Why
>>> reinvent the wheel?
>> Because X.509 is quite webby, and the web is the dominant ecosystem on
>> the internet.
> more specifically: TLS allows for RESTful secure identity handling - which
> helps save bandwidth as is is friendly to proxies and other caching.
> http://www.w3.org/wiki/WebID

Yes, exactly.

There's a group that has now moved this a step closer to
standardization with the a W3C Web Consortium Incubator Group.


I know revocation has been raised as a topic.  I normally listen in on
the telecons, so I can report back on this topic, and any others
people with to raise.

> Your arguments about the trust model, Daniel, I agree with: we should not
> (only) rely on existing certificate chains.
> ?- Jonas
> --
> ?* Jonas Smedegaard - idealist & Internet-arkitekt
> ?* Tlf.: +45 40843136 ?Website: http://dr.jones.dk/
> ?[x] quote me freely ?[ ] ask before reusing ?[ ] keep private
> Version: GnuPG v1.4.11 (GNU/Linux)
> dWAfJthHeIdAfEHs+5aXQh7ldK5QJICWVArAPmD4bWvOyY5EreeXb7T5xSMUSH3N
> lxGWuOwPhcyggLe3gW+ISGf1TC1bQV2fvVqtKTOpnki1V0T60j/9N5y8HHiBGCAO
> tKam+n3kfz2BuyTDshxHTdTFapVCjXmbIjOYGigVww9lgTqmkVKMaTqnLk/S32cc
> URfK60Hk8Xuff2pQMmAkzY2kH1IDPc3+9TMViblyePpOaynVd5+TbaZb8pXNZIzw
> t8PbBG4GVH45Ap1C17MT2ubYSI6DLYBmN1IMhvZOcaqDdx0FxZ1a0lu+h3i1A+wN
> 3K6WX4ejIKqVaDpSEUWo8dp+/uJ7agooiTahvHycX+OGmJRYBCIMez7vWuBDHUss
> jxls5miEol+6FtxB1jCP3O/0GdLSLDfIHhCHQ0FLUKjkVi64JI/4a0w/ILiWCyyG
> LCR3x9M/zZztuU/jbEV4I/QvFk3Q3is9OgK75U4TPyHYMlynfdFt21d7/rytSp4J
> 70GwzQlAHj9p29sJ3IkY2UNcASkBSnY0KbycN7SNupPLRrlUqoIDdGQEp7ZpRoIF
> d5G0R3HAVC3HsESDSQOzGK925yFocf3+KcYkvPNrJz4fXpwV0Hjt1zxuq3ctUUzu
> xIKO0W+d02PY10NS3Lnw
> =j4jz
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss

Reply to: