Melvin, Thats awesome! We are planning on integrating in something very similar in the 0.8 release. Being able to transform a SSH key/PGP key into a SSL client in a easy fashion like through a web browser extension or just by visiting a Plinth page on a freedombox would be really cool. We want to do SSL client authentication in the 0.8 release but one of the big questions is how do you deploy SSL keys to everyone.
The Monkeysphere project has a system for allowing you to use your PGP keys for SSH key based authentication. [1] And it has also been extended to do SSL client authentication over the web. [2] That is actually why the Freedombox project recently switched from using mod_ssl to using mod_gnutls, since mod_gnutls has hooks to verify SSL client certs against the Web of Trust using the Monkeysphere validation agent. [3] We have documented the steps required to get a Apache server to recognize a user who authenticates using SSL Client certificates that are derived from their personal PGP. [4][5] To make this work seamlessly with web applications running behind apache (such as plinth or ikiwiki) requires an another pretty simple Apache module (mod_auth_env). But once that Apache module is configured any web applications (PHP apps, Python apps, whatever...) that can be configured to use Apache authentication will automatically recognize the user logged in using the SSL client cert.[6][7] This should also work in combination with Apache LDAP group authentication as well, which would be cool since Freedombox/Plinth now uses LDAP as its group and user store. This will let a Freedombox user to control access to all of the applications running on his/her freedombox using the Plinth interface! The biggest problem with this system (I think) is that not everyone has PGP keys. But putting that aside, even if you have a PGP key the process now requires running a perl script that lives in a Git repository [8] and then you have to import the key into your browser. It would be really cool if there was a easier way for people to generate the SSL certificates from PGP keys through their web browser. It looks like you use node-forge to do the SSH key to SSL key conversion. Is that something that can be done in a browser or do you need a Node.js server? Do you think it could also convert a PGP key into a SSL key? On a related note, any one that wants to package mod_auth_env for Debian that would be immensely appreciated! -Marc P.S. For those of you are not excited about Let's Encrypt, monkeysphere has a browser extension to allow you to do SSL Server verification based on the web of trust as well. [9] It is a little more complicated because to validate the server based on the WoT each user would need to run the monkeysphere validation agent. [1] http://web.monkeysphere.info/ [2] http://web.monkeysphere.info/why/#index1h2 [3] https://demo.monkeysphere.info/ [4] https://wiki.debian.org/FreedomBox/ConfiguringModGnuTLS [5] http://lists.alioth.debian.org/pipermail/freedombox-discuss/2014-March/006260.html [6] https://github.com/matujo/mod_auth_env/wiki [7] https://github.com/matujo/mod_auth_env [8] git://git.monkeysphere.info/msva-perl [9] http://web.monkeysphere.info/download/ On 11/17/2015 05:43 AM, Melvin Carvalho wrote: > > I tested this also with client side certificate authentication and it > works well. This means we can sign in to each other's web FBX with our > SSH keys. I wrote a node script that puts an ssh key in the browser: > > https://github.com/gitpay/util/blob/master/opensshToX509.js > > Needs a bit of cleaning up, but essentially it works. > > > > Markus > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > <mailto:[email protected]> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > > > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > -- Marc Jones Counsel Software Freedom Law Center 1995 Broadway, 17th Floor New York, NY 10023 Tel: 212-461-1919 Fax: 212-580-0898 Email: [email protected] www.softwarefreedom.org
0xAC9364C7.asc
Description: application/pgp-keys
0xAC9364C7.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
