[Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox

Subject: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
From: bertagaz at ptitcanardnoir.org (bertagaz@ptitcanardnoir.org)
Date: Thu, 12 Sep 2013 16:16:46 +0200
Message-id: <[🔎] 20130912141646.GF26847@localhost>
In-reply-to: <[🔎] 87li32s03m.fsf@poker.hands.com>
References: <[🔎] 20130912091036.16674.58343@bastian.jones.dk> <[🔎] 1378982608.12748.104.camel@xw6200.me4.it> <[🔎] 20130912115751.GH10405@leitl.org> <[🔎] 87li32s03m.fsf@poker.hands.com>

On Thu, Sep 12, 2013 at 01:20:13PM +0100, Philip Hands wrote:
> Eugen Leitl <eugen at leitl.org> writes:
> 
> > On Thu, Sep 12, 2013 at 11:43:28AM +0100, Keith wrote:
> >> Anyone for setting up a Freedombox CA?
> >> This could be added to the freedombox as a trusted CA and usable for
> >> freedombox to freedombox TLS only.
> >
> > A CA appears counterproductive. End users should use 
> > self-signed certs, or each Freedombox issue contain
> > their own CA.

That's be a wise choice, considering how governments can easily ask a
valid certificate for any domain to commercial CAs. Or even issue them
themselves. Then, it's easy to do a MITM. But...

> It seems that the problem you're discussing is the one that that
> monkeyshere has already addressed quite nicely:
> 
>   http://web.monkeysphere.info/
> 

I believe there are two different issues to address:

 * Inside the freedombox network. Much is possible in this area, going
   further in good SSL/TLS use with client certs and all. Here
   monkeysphere would be very useful, to bind SSL/TLS certs to OpenPGP
   keys.

 * Outside the freedombox network, for people that want to send an email
   to a freedombox owner, or browse her blog. Here the commercial CA
   limitation is much more hard to ignore, as it is the de facto standard
   and there are no real widely deployed workaround to commercial CA.

Concerning the last case, in the end, the question might be : "Do
freedombox want to push in the outside more secure TLS communication by
requiring people from the outside to use new tools? Or do Freedombox want
to be easily accessible from the outside without requiring people to
install and understand new technologies, possibly loosing attention from
those who won't ever do this step?

By the way, CAcert.org would work only out of the box for people running
Debian. Otherwise people will have to install their CA certificate in
the system.

On the "strong ciphers vs software configuration", ioerror published an
interesting repo on github with some sample configurations and advices to
sysadmins:

https://github.com/ioerror/duraconf

Worth reading and checking her conf accordingly.

Bert.

Reply to:

Follow-Ups:
- [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
  - From: dr@jones.dk (Jonas Smedegaard)

References:
- [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
  - From: dr@jones.dk (Jonas Smedegaard)
- [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
  - From: keith@fernie.eu (Keith)
- [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
  - From: eugen@leitl.org (Eugen Leitl)
- [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
  - From: phil@hands.com (Philip Hands)

Prev by Date: [Freedombox-discuss] Freedombox CA
Next by Date: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
Previous by thread: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
Next by thread: [Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
Index(es):
- Date
- Thread