[Freedombox-discuss] my summary of yesterday's Hackfest

Melvin Carvalho melvincarvalho at gmail.com
Tue Mar 1 18:51:07 UTC 2011


On 1 March 2011 19:34, Jonas Smedegaard <dr at jones.dk> wrote:
> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>>
>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>>>
>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>>
>>>> But actually there is a way in the case of the Freedom Box, because you
>>>> have the advantage of controlling your own server.
>>>>
>>>> Since you are already running a webserver and (hopefully) have control
>>>> of your DNS.
>>>>
>>>> You can provide a two-way verification chain.
>>>>
>>>> 1. Your Person Profile publishes your public key.  (this is a few
>>>> lines of html5, should be easy)
>>>> 2. Point your self-signed X.509 to your Freedom Box profile.  This can
>>>> be done by putting an entry in the SubjectAltName field of the cert, a
>>>> common technique.
>>>>
>>>> This provides strong verification for all the X.509 tool chain and means
>>>> you can talk security to any server using SSL/TLS which is most of them,
>>>> providing strong authentication as a side product.
>>>
>>> This doesn't provide an adequate means of revocation, though.  If an
>>> attacker gets control over your key, and is able to repoint DNS, then you
>>> cannot publish any revocation statement about this key through this channel.
>>
>> If an attacker does gain these two points of control, and they knew what
>> they were doing, you could have an issue yes.
>>
>> We need to scope out a revocation model, but I dont think it's that hard.
>>  May already be something existing, I'll have a check.
>
> Without plauing with it yet myself, I blindly assumed Monkeysphere was
> usable for exactly this: use GPG web of trust to assure certificates.
>
>
>>> These two points are what i meant when i said that this model has "no way
>>> of verifying/revoking these keys".
>>>
>>> I'm sure you could graft something like this onto <X.509+your scheme
>>> above>; but OpenPGP already exists and handles these cases pretty well.  Why
>>> reinvent the wheel?
>>
>> Because X.509 is quite webby, and the web is the dominant ecosystem on
>> the internet.
>
> more specifically: TLS allows for RESTful secure identity handling - which
> helps save bandwidth as is is friendly to proxies and other caching.
>
> http://www.w3.org/wiki/WebID

Yes, exactly.

There's a group that has now moved this a step closer to
standardization with the a W3C Web Consortium Incubator Group.

http://www.w3.org/2005/Incubator/webid/charter

I know revocation has been raised as a topic.  I normally listen in on
the telecons, so I can report back on this topic, and any others
people with to raise.

>
>
> Your arguments about the trust model, Daniel, I agree with: we should not
> (only) rely on existing certificate chains.
>
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJNbTwmAAoJECx8MUbBoAEhYpIQAKN6mPCQSClHgE5jkyjBm/D+
> dWAfJthHeIdAfEHs+5aXQh7ldK5QJICWVArAPmD4bWvOyY5EreeXb7T5xSMUSH3N
> lxGWuOwPhcyggLe3gW+ISGf1TC1bQV2fvVqtKTOpnki1V0T60j/9N5y8HHiBGCAO
> tKam+n3kfz2BuyTDshxHTdTFapVCjXmbIjOYGigVww9lgTqmkVKMaTqnLk/S32cc
> URfK60Hk8Xuff2pQMmAkzY2kH1IDPc3+9TMViblyePpOaynVd5+TbaZb8pXNZIzw
> t8PbBG4GVH45Ap1C17MT2ubYSI6DLYBmN1IMhvZOcaqDdx0FxZ1a0lu+h3i1A+wN
> 3K6WX4ejIKqVaDpSEUWo8dp+/uJ7agooiTahvHycX+OGmJRYBCIMez7vWuBDHUss
> jxls5miEol+6FtxB1jCP3O/0GdLSLDfIHhCHQ0FLUKjkVi64JI/4a0w/ILiWCyyG
> LCR3x9M/zZztuU/jbEV4I/QvFk3Q3is9OgK75U4TPyHYMlynfdFt21d7/rytSp4J
> 70GwzQlAHj9p29sJ3IkY2UNcASkBSnY0KbycN7SNupPLRrlUqoIDdGQEp7ZpRoIF
> d5G0R3HAVC3HsESDSQOzGK925yFocf3+KcYkvPNrJz4fXpwV0Hjt1zxuq3ctUUzu
> xIKO0W+d02PY10NS3Lnw
> =j4jz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
>
>



More information about the Freedombox-discuss mailing list