On 1 March 2011 19:34, Jonas Smedegaard <[email protected]> wrote: > On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote: >> >> On 1 March 2011 18:44, Daniel Kahn Gillmor <[email protected]> wrote: >>> >>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote: >>>> >>>> But actually there is a way in the case of the Freedom Box, because you >>>> have the advantage of controlling your own server. >>>> >>>> Since you are already running a webserver and (hopefully) have control >>>> of your DNS. >>>> >>>> You can provide a two-way verification chain. >>>> >>>> 1. Your Person Profile publishes your public key. (this is a few >>>> lines of html5, should be easy) >>>> 2. Point your self-signed X.509 to your Freedom Box profile. This can >>>> be done by putting an entry in the SubjectAltName field of the cert, a >>>> common technique. >>>> >>>> This provides strong verification for all the X.509 tool chain and means >>>> you can talk security to any server using SSL/TLS which is most of them, >>>> providing strong authentication as a side product. >>> >>> This doesn't provide an adequate means of revocation, though. If an >>> attacker gets control over your key, and is able to repoint DNS, then you >>> cannot publish any revocation statement about this key through this channel. >> >> If an attacker does gain these two points of control, and they knew what >> they were doing, you could have an issue yes. >> >> We need to scope out a revocation model, but I dont think it's that hard. >> May already be something existing, I'll have a check. > > Without plauing with it yet myself, I blindly assumed Monkeysphere was > usable for exactly this: use GPG web of trust to assure certificates. > > >>> These two points are what i meant when i said that this model has "no way >>> of verifying/revoking these keys". >>> >>> I'm sure you could graft something like this onto <X.509+your scheme >>> above>; but OpenPGP already exists and handles these cases pretty well. Why >>> reinvent the wheel? >> >> Because X.509 is quite webby, and the web is the dominant ecosystem on >> the internet. > > more specifically: TLS allows for RESTful secure identity handling - which > helps save bandwidth as is is friendly to proxies and other caching. > > http://www.w3.org/wiki/WebID
Yes, exactly. There's a group that has now moved this a step closer to standardization with the a W3C Web Consortium Incubator Group. http://www.w3.org/2005/Incubator/webid/charter I know revocation has been raised as a topic. I normally listen in on the telecons, so I can report back on this topic, and any others people with to raise. > > > Your arguments about the trust model, Daniel, I agree with: we should not > (only) rely on existing certificate chains. > > > - Jonas > > -- > * Jonas Smedegaard - idealist & Internet-arkitekt > * Tlf.: +45 40843136 Website: http://dr.jones.dk/ > > [x] quote me freely [ ] ask before reusing [ ] keep private > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQIcBAEBCgAGBQJNbTwmAAoJECx8MUbBoAEhYpIQAKN6mPCQSClHgE5jkyjBm/D+ > dWAfJthHeIdAfEHs+5aXQh7ldK5QJICWVArAPmD4bWvOyY5EreeXb7T5xSMUSH3N > lxGWuOwPhcyggLe3gW+ISGf1TC1bQV2fvVqtKTOpnki1V0T60j/9N5y8HHiBGCAO > tKam+n3kfz2BuyTDshxHTdTFapVCjXmbIjOYGigVww9lgTqmkVKMaTqnLk/S32cc > URfK60Hk8Xuff2pQMmAkzY2kH1IDPc3+9TMViblyePpOaynVd5+TbaZb8pXNZIzw > t8PbBG4GVH45Ap1C17MT2ubYSI6DLYBmN1IMhvZOcaqDdx0FxZ1a0lu+h3i1A+wN > 3K6WX4ejIKqVaDpSEUWo8dp+/uJ7agooiTahvHycX+OGmJRYBCIMez7vWuBDHUss > jxls5miEol+6FtxB1jCP3O/0GdLSLDfIHhCHQ0FLUKjkVi64JI/4a0w/ILiWCyyG > LCR3x9M/zZztuU/jbEV4I/QvFk3Q3is9OgK75U4TPyHYMlynfdFt21d7/rytSp4J > 70GwzQlAHj9p29sJ3IkY2UNcASkBSnY0KbycN7SNupPLRrlUqoIDdGQEp7ZpRoIF > d5G0R3HAVC3HsESDSQOzGK925yFocf3+KcYkvPNrJz4fXpwV0Hjt1zxuq3ctUUzu > xIKO0W+d02PY10NS3Lnw > =j4jz > -----END PGP SIGNATURE----- > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss > > _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
