[Freedombox-discuss] Freedombox CA

Jonathan Wilkes jancsika at yahoo.com
Thu Sep 12 16:19:59 UTC 2013


On 09/12/2013 10:06 AM, Keith wrote:
> After further thought:
>
> With a CA on each freedombox we could have something like this
>
> Create a CA using (options used could be changed)
> openssl genrsa -des3 -out "Freedombox CA.key" 4096
> openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
> "Freedombox CA.pem"
>
> Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
> bits, could use 4096 bits if Postfix is the MTA used).
>
> Include in Plinth an option for a freedom box to obtain ssl keys with
> the Freedombox CA. No interface to an external website, openssl can do
> this.
>
> The public key of the Freedombox CA could be published, to be imported
> into someone else's browser, could be a problem with multiple Freedombox
> CA's with the same name.
>
> Possibly a paranoid option to rotate the ssl keys on the freedom box
> running manually and/or as a cron job (Now doing this daily with one of
> my mailservers).

Hi Keith,
      In short, the entire white-hat security community guessed what
"prohibitively expensive" meant.  They guessed too low.  Now we
know, and everyone (including the white-hats and the surveillance
industry) are scrambling to recover from the revelation.

Some are thinking of it as the tinfoil hats coming off.  I think of it as
tinfoil hats appearing on every head of every person who has a device
connected to the internet.  I like it that way because "paranoid" becomes
a synonym for "human", and all those previous "paranoid options" that
are cordoned off with scant documentation suddenly become "bad
human interfaces" which were prohibitively complicated to have actually
provided security or privacy to the user when it turned out that they
needed it.

So to me, "paranoid option" now either means a) core feature which should
be implemented cleanly, by default, or b) a dead coal mine canary that 
says the
interface itself is too complicated, so start over and rethink it.

Best,
Jonathan



More information about the Freedombox-discuss mailing list