On 1 March 2011 17:43, Daniel Kahn Gillmor <[email protected]> wrote: > On 03/01/2011 10:51 AM, Matt Willsher wrote: >> My point is rather: why not just use X.509 keys and certs and why use >> GPG/PGP at all? X.509 is multi purpose, well adopted and well trusted. > > X.509 is certainly widely adopted, but that's about all you can say for it. > > well-trusted? not so much. here's a few links to get you started: > > > http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model > > https://www.eff.org/observatory > > > https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl > > http://www.cs.auckland.ac.nz/~pgut001/pubs/rsa2011.pdf > > And due to its single-issuer-per-cert design, X.509 is intrinsically > antithetical to the decentralized model that freedombox needs to follow: > > http://lair.fifthhorseman.net/~dkg/tls-centralization/ > > To be clear, I'm just arguing against adoption of X.509 as a certificate > format for the FreedomBox. > > My argument does not cover: > > * message encryption and signature formats (e.g. PGP/MIME vs. S/MIME) > * transport layer tunnelling and authentication (e.g. TLS) > > these are separate decisions from the certificate formats, and should be > made separately.
Why not use the same key pair to generate an X.509 cert and a GPG key, and have the best of both worlds? I think the GNOME keyring is doing some unification work in this area. > > --dkg > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss > > _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
