[Freedombox-discuss] Freedombox CA

[Keith]

After further thought:

With a CA on each freedombox we could have something like this

Create a CA using (options used could be changed)
openssl genrsa -des3 -out "Freedombox CA.key" 4096
openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
"Freedombox CA.pem"

Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
bits, could use 4096 bits if Postfix is the MTA used).

Include in Plinth an option for a freedom box to obtain ssl keys with
the Freedombox CA. No interface to an external website, openssl can do
this.

The public key of the Freedombox CA could be published, to be imported
into someone else's browser, could be a problem with multiple Freedombox
CA's with the same name. 

Possibly a paranoid option to rotate the ssl keys on the freedom box
running manually and/or as a cron job (Now doing this daily with one of
my mailservers).


On Thu, 2013-09-12 at 12:05 +0200, Jonas Smedegaard wrote:
> Quoting Keith (2013-09-12 12:43:28)
> > Anyone for setting up a Freedombox CA?
> > This could be added to the freedombox as a trusted CA and usable for
> > freedombox to freedombox TLS only.
> 
> Please update subject field to reflect when, well, changing subject.
> 
> It could, if it is deemed sensible to trust an external entity separate 
> from other external entities with a lot more eyeballs on them.
> 
> Or, if your idea is that "we" run the CA, I am curious how "we" as a 
> non-hierarchical body deal with such a hierarchical structure as a CA.
> 
> Personally I would prefer this sliding scale:
> 
>   common CAs -> CAcert.org -> no CAs
> 
> I.e. I see no need for creating a new CA.  But am open to (at least try 
> to) understand the reasoning behind your idea. :-)
> 
> 
>  - Jonas
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss