[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Announcing Santiago Release Candidate 1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/05/12 15:58, The Doctor wrote:
> On 05/22/2012 12:26 PM, Michael Rogers wrote:
>> Looking briefly at the Monkeysphere proposal mentioned earlier
>> in this thread, there appear to be some fields that could be used
>> to distinguish Monkeysphere-based handshakes from other
>> handshakes:
> 
> Is that before or after an SSL or TLS connection is negotiated?

This happens during the TLS handshake. The Monkeysphere proposal
describes a way of using PGP keys to sign TLS certificates. The
certificates are exchanged during the handshake just like CA-signed or
self-signed certificates would be.

>> * A new signature type is used, NullSignatureUseOpenPGP. * The 
>> signature type's object ID comes from an ID space allocated to
>> the Monkeysphere project. * The signature consists of the ASCII
>> bytes "use OpenPGP".
> 
> In this case yes, these could be used to detect certificate
> exchange. Exchanging over an unauthenticated crypto channel is
> probably not a good idea.

I think the idea is that the endpoints would already have
authenticated each other's PGP keys somehow; the Monkeysphere proposal
allows that prior authentication step to be used to authenticate TLS
connections.

> If it was, it would make it more difficult to detect and censor 
> FreedomBox traffic.  If it wasn't that would be a risk that would
> be implicitly accepted, and possibly need to be dealt with later.

Agreed. I'm not trying to argue for or against making
indistinguishability of FreedomBox traffic from other TLS traffic a
design goal; all I'm trying to do is to point out that if it's a
design goal, the Monkeysphere proposal isn't suitable.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPvP3WAAoJEBEET9GfxSfMieIIAJDjfxaTMpA7emTY0B2aAdnl
xlOKeXKLeGGOT/fssZ1VqdbFc11s/O0cFQuUzAscis3EJrCjmGOHfkSrv3yMRwxC
o4mSeH8EOkN62A9ZfIJWDjkOS1vpUid3PWw5v2t2USwfDt+i5w44gjVJ3xhCCf1T
RqOWKzwWOqS2DOggx0c/r4u0FazS5w4jBWYPNFI/3ZGZmN0KnaEGoZspZ5R7MsTL
LyqEif4QyZc/NT4LAcLmLgYnV/BPZbg0b7EGcwVfxFxPBczuhxQLmLZUdSBVExSd
Tm7eLOWIDksKVmZ84dehxHmaS7178Zt1D/g+DyeNVZUmiHV1UxGRESLmEVvzxGo=
=Z0nZ
-----END PGP SIGNATURE-----
Reply to: