-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/05/12 15:58, The Doctor wrote: > On 05/22/2012 12:26 PM, Michael Rogers wrote: >> Looking briefly at the Monkeysphere proposal mentioned earlier >> in this thread, there appear to be some fields that could be used >> to distinguish Monkeysphere-based handshakes from other >> handshakes: > > Is that before or after an SSL or TLS connection is negotiated?
This happens during the TLS handshake. The Monkeysphere proposal describes a way of using PGP keys to sign TLS certificates. The certificates are exchanged during the handshake just like CA-signed or self-signed certificates would be. >> * A new signature type is used, NullSignatureUseOpenPGP. * The >> signature type's object ID comes from an ID space allocated to >> the Monkeysphere project. * The signature consists of the ASCII >> bytes "use OpenPGP". > > In this case yes, these could be used to detect certificate > exchange. Exchanging over an unauthenticated crypto channel is > probably not a good idea. I think the idea is that the endpoints would already have authenticated each other's PGP keys somehow; the Monkeysphere proposal allows that prior authentication step to be used to authenticate TLS connections. > If it was, it would make it more difficult to detect and censor > FreedomBox traffic. If it wasn't that would be a risk that would > be implicitly accepted, and possibly need to be dealt with later. Agreed. I'm not trying to argue for or against making indistinguishability of FreedomBox traffic from other TLS traffic a design goal; all I'm trying to do is to point out that if it's a design goal, the Monkeysphere proposal isn't suitable. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPvP3WAAoJEBEET9GfxSfMieIIAJDjfxaTMpA7emTY0B2aAdnl xlOKeXKLeGGOT/fssZ1VqdbFc11s/O0cFQuUzAscis3EJrCjmGOHfkSrv3yMRwxC o4mSeH8EOkN62A9ZfIJWDjkOS1vpUid3PWw5v2t2USwfDt+i5w44gjVJ3xhCCf1T RqOWKzwWOqS2DOggx0c/r4u0FazS5w4jBWYPNFI/3ZGZmN0KnaEGoZspZ5R7MsTL LyqEif4QyZc/NT4LAcLmLgYnV/BPZbg0b7EGcwVfxFxPBczuhxQLmLZUdSBVExSd Tm7eLOWIDksKVmZ84dehxHmaS7178Zt1D/g+DyeNVZUmiHV1UxGRESLmEVvzxGo= =Z0nZ -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
