Its rather common for people with load balancers and lots of servers serving
the same domain to have multiple certs.
Same for certs to change to a new CA before expiry. (Probably switched to a
new CA when adding more servers to the load balanced web server farm).
I installed cert patrol and the popups about this are frequent. Any
solution that hopes for easy interim deployment needs to work with this.
Adam
On Wed, Nov 30, 2011 at 12:05:29PM -0800, Peter Eckersley wrote:
Perspectives and Convergence are one effort to do this (what key do other
people see on this server?). MonkeySphere is another (which humans in a web
of trust will vouch that this is the right key for this server?).
Perspectives/Convergence suffer from the problem that there is no way to tell
the difference between "the server was reinstalled and now has a new key" and
"the whole world sees an attack in progress". The former is more common but
the second can also occurr.
MonkeySphere has the problem that the web of trust has to be enormous before
it's likely that you can build a chain to the admins of all of the websites
you visit.
On Wed, Nov 30, 2011 at 01:30:03PM +0100, Eugen Leitl wrote:
I presume many here are aware of the Eben Moglen-started
FreedomBox initiative, which sets out to build a Debian
distro for lplug computers and similar which will package
many existing tools for the end result of an end-user
owned and operated, anonymizing and censorship-resistant
infrastructure.
One of the problems I did not see well-addressed yet is
infrastructure for a cert trust network, which uses social
graph information (FreedomBox is supposed to package a P2P
alternative to Facebook & Co) for cert fingerprint validation.
Is anyone aware of existing code which caches SSL cert
fingerprints and alerts when one suddenly changes, informing
of a potential MITM in progress?
Thanks.
--
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
--
Peter Eckersley p...@eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
