[Freedombox-discuss] Freedombox CA

[Simo]

On Thu, 2013-09-12 at 15:13 +0100, keith at sd-kvm.me4.it wrote:
> Gnutls may be usable as an alternative to Openssl.
> It's already in Debian, new to me.

What's wrong with OpenSSL that GNUTLS get's right ?

Simo.

> > On Thu, Sep 12, 2013 at 03:06:46PM +0100, Keith wrote:
> >> After further thought:
> >>
> >> With a CA on each freedombox we could have something like this
> >>
> >> Create a CA using (options used could be changed)
> >> openssl genrsa -des3 -out "Freedombox CA.key" 4096
> >
> > Is there any remote change to use a different crypto library/tool
> > than OpenSSL? I realize that the license issues preclude many
> > of potential alternatives from inclusion in Debian.
> >
> >> openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
> >> "Freedombox CA.pem"
> >>
> >> Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
> >> bits, could use 4096 bits if Postfix is the MTA used).
> >>
> >> Include in Plinth an option for a freedom box to obtain ssl keys with
> >> the Freedombox CA. No interface to an external website, openssl can do
> >> this.
> >>
> >> The public key of the Freedombox CA could be published, to be imported
> >> into someone else's browser, could be a problem with multiple Freedombox
> >> CA's with the same name.
> >>
> >> Possibly a paranoid option to rotate the ssl keys on the freedom box
> >> running manually and/or as a cron job (Now doing this daily with one of
> >> my mailservers).
> > _______________________________________________
> > Freedombox-discuss mailing list
> > Freedombox-discuss at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
> 
> 
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss