[Freedombox-discuss] Steps for integrating in Monkeysphere to Freedombox

Marc Jones mjones at softwarefreedom.org
Wed Dec 16 21:53:05 UTC 2015 

Sunil and James,

As we discussed before we want to get the SSL Client certificate auth
integrated into freedombox for the 0.8 release. I put a proposal in to
present a libreplanet in March and I think this would be a cool thing to
show off.

To get there though we have some work because we are kind of blazing a
new trail. No one is doing anything like this right now. But I think it
will be a great foundation to doing more stuff because it is a first
step in having our freedomboxes know about PGP. (Maybe one day we can
use PGP to allow FBXs to exchange data with each other. FBX backups
perhaps!)

To get this integrated I think we have all of the components we just
need to pick a plan for an initial implementation. James suggested we do
this as an experimental plinth module for 0.8. Which I think makes a lot
of sense because until we get mod_auth_env in debian that will have to
be installed manually. Plus I think this really is an experiment.

There are lots of use cases based on weather or not the Freedombox owner
has a PGP key already, but I think if we assume that the FBX owner has a
PGP key already published in the WoT it makes our initial goal as simple
as it can be. In this case, I think we need to do the following things
at minimum to say we have this integrated in:

1) package up mod_auth_env to make it as simple as possible to install
by hand (DONE by James)

2) Create monkeysphere plinth module that will:
	* turn on Client Cert Auth
                * turn on mod-auth-env
                * turn on modgnutls client cert support as optional
                * turn on apache auth as optional
                * run msva
	* Allow user to add what PGP keys for MSVA to trust for verification
purposes based on email or fingerprint published in WoT

3) modify plinth to recognize Apache Auth username, but only if
Mod_gnutls has verified the address. If there is not Apache Auth user
then Plinth operates as it does now.

4) Give instructions on how to convert your PGP key into a Client SSL
cert and load it into your browser


I think the Apache Auth configuration should for now make the Client
Cert option and the Apache user as optional so if no client cert is
present it just falls through to Plinths current internal auth.

What do you guys think of this as a first step? This would let use set
up a freedombox that used SSL Client certs that you could let your
friends access. I am thinking eventually having the official project
website hosted on a freedombox that core devs can update by logging in
via SSL client certs or something.

After this there should be some quick wins like monkeysphere based SSH
login, monkeysphere SSH key verification, making keys for users who dont
already have PGP certs, etc.... We might even be able to use
monkeysphere to provide authenticated SSL server certs for accessing
FBXs via Tor hidden addresses since you still cant get certificate
cartel SSL certs for .onion addresses.

-Marc
	
-- 
Marc Jones
Counsel
Software Freedom Law Center
1995 Broadway, 17th Floor
New York, NY 10023
Tel: 212-461-1919
Fax: 212-580-0898
Email: mjones at softwarefreedom.org
www.softwarefreedom.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAC9364C7.asc
Type: application/pgp-keys
Size: 6825 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151216/f45a8709/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151216/f45a8709/attachment-0001.sig>

More information about the Freedombox-discuss mailing list