On 03/01/2011 12:08 PM, Melvin Carvalho wrote: > On 1 March 2011 18:00, Daniel Kahn Gillmor <[email protected]> wrote: >> I have no objections to using X.509 certificates as simple, "dummy" >> public-key carriers (as soon as i can find the time, i hope to publish >> some work that encourages this use case, in fact). >> >> But I do have a strong objection to contaminating the Freedom Box with >> the flawed certificate authority model currently used by the >> "widely-adopted" mass of X.509 software. > > Self sign your X.509 and you dont need a CA.
Right; thereby discarding the flawed CA model, and using the certificate as a dummy public-key carrier. The problem with this is that we still have no way of verifying/revoking these keys. This is where the certificate format comes in, and is the place i think FreedomBox should use OpenPGP. >>> I think the GNOME keyring is doing some unification work in this area. >> >> i'd be interested to see a pointer to this work. > > http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf thanks, i'm glad to see that they're on the right track. pkcs#11 is good for handling secret keys. unfortunately, the library spec is pretty weak for dealing with alternate certification mechanisms. I'll get in touch with these folks to see if there's a way to collaborate. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
