[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Freedombox CA

On Thu, Sep 12, 2013 at 09:02:51PM +0200, Anders Jackson wrote:

> > > Isn't this just a new snake oil certificate?  I would like a simple GUI
> to
> >
> > You say that like it was a bad thing.
> 
> Depends, but yes mostly it is. Try to distribute it.

Secrets should be generated on device, and not leave
the device. In fact, we need an open hardware auditable
TPM which does not allow the secrets to be extracted,
and allows basic crypto operations to be conducted
onboard, outside of OS's access.

Trusting central authorities with doing
the right thing is a single point of failure.
Trust should be built on people you've known for
a long time. Since recently it has been possible to
build distributed networks where trust is a function
of network quorum. 
 
> > > add CAcert.org certificates, or from any other CA.
> >
> > The CA model is dead. You might have missed the memo.
> 
> No, it isn't. It just smells like it when used badly.

The problem is that it's the default. 
 
> > > Also generate certificate keys that can be imported to web browsers and
> > > used to log in on your freedombox web interface. One for each user, and
> > > easy to remove.
> >
> > You can import your own CA into the browser, which get
> > rid of the warnings.
> 
> Yes, and?

This means that in a network of friends, running a trusted
hardware like Freedombox, each with their own onboard CA,
the CA-issued certs no longer generate a warning in a stock
browser without plugins, once imported.

That's way insufficient, but it's a first building block.
 
> > > I think there are work on using PGP keys useful in TLS (SSL), anyone
> know
> >
> > SSL/TLS no longer inspire confidence. Messy implementations like
> > OpenSSL even less.
> 
> Well, SSL has been dead for a long time and are still used. Don't use it!
> 
> TLS isn't a problem, unless you use early versions. Don't use those.

I wish that such notions would be widely widespread. Once Snowden's
leak spigot dries up it will be business as usual in a few months,
outside of a small circle of people producing tools the majority is
unaware of, and doesn't understand the need for. Until the next major
leak, lather, rinse, repeat.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130913/28d83aba/attachment.sig>
Reply to: