[Freedombox-discuss] First impression of Let's Encrypt (LE) for FreedomBox

Marc Jones mjones at softwarefreedom.org
Wed Nov 18 16:35:37 UTC 2015 

Melvin,

Thats awesome!  We are planning on integrating in something very similar
in the 0.8 release. Being able to transform a SSH key/PGP key into a SSL
client in a easy fashion like through a web browser extension or just by
visiting a Plinth page on a freedombox would be really cool. We want to
do SSL client authentication in the 0.8 release but one of the big
questions is how do you deploy SSL keys to everyone.

The Monkeysphere project has a system for allowing you to use your PGP
keys for SSH key based authentication. [1] And it has also been extended
to do SSL client authentication over the web. [2] That is actually why
the Freedombox project recently switched from using mod_ssl to using
mod_gnutls, since mod_gnutls has hooks to verify SSL client certs
against the Web of Trust using the Monkeysphere validation agent. [3]

We have documented the steps required to get a Apache server to
recognize a user who authenticates using SSL Client certificates that
are derived from their personal PGP. [4][5]

To make this work seamlessly with web applications running behind apache
(such as plinth or ikiwiki) requires an another pretty simple Apache
module (mod_auth_env). But once that Apache module is configured any web
applications (PHP apps, Python apps, whatever...) that can be configured
to use Apache authentication will automatically recognize the user
logged in using the SSL client cert.[6][7]

This should also work in combination with Apache LDAP group
authentication as well, which would be cool since Freedombox/Plinth now
uses LDAP as its group and user store. This will let a Freedombox user
to control access to all of the applications running on his/her
freedombox using the Plinth interface!

The biggest problem with this system (I think) is that not everyone has
PGP keys. But putting that aside, even if you have a PGP key the process
now requires running a perl script that lives in a Git repository [8]
and then you have  to import the key into your browser. It would be
really cool if there was a easier way for people to generate the SSL
certificates from PGP keys through their web browser.

It looks like you use node-forge to do the SSH key to SSL key
conversion. Is that something that can be done in a browser or do you
need a Node.js server? Do you think it could also convert a PGP key into
a SSL key?

On a related note, any one that wants to package mod_auth_env for Debian
that would be immensely appreciated!

-Marc

P.S. For those of you are not excited about Let's Encrypt, monkeysphere
has a browser extension to allow you to do SSL Server verification based
on the web of trust as well. [9] It is a little more complicated because
to validate the server based on the WoT each user would need to run the
monkeysphere validation agent.

[1] http://web.monkeysphere.info/
[2] http://web.monkeysphere.info/why/#index1h2
[3] https://demo.monkeysphere.info/
[4] https://wiki.debian.org/FreedomBox/ConfiguringModGnuTLS
[5]
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2014-March/006260.html
[6] https://github.com/matujo/mod_auth_env/wiki
[7] https://github.com/matujo/mod_auth_env
[8] git://git.monkeysphere.info/msva-perl
[9] http://web.monkeysphere.info/download/

On 11/17/2015 05:43 AM, Melvin Carvalho wrote:
> 
> I tested this also with client side certificate authentication and it
> works well.  This means we can sign in to each other's web FBX with our
> SSH keys.  I wrote a node script that puts an ssh key in the browser:
> 
> https://github.com/gitpay/util/blob/master/opensshToX509.js
> 
> Needs a bit of cleaning up, but essentially it works.
>  
> 
> 
>     Markus
> 
> 
>     _______________________________________________
>     Freedombox-discuss mailing list
>     Freedombox-discuss at lists.alioth.debian.org
>     <mailto:Freedombox-discuss at lists.alioth.debian.org>
>     http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
> 
> 
> 
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
> 


-- 
Marc Jones
Counsel
Software Freedom Law Center
1995 Broadway, 17th Floor
New York, NY 10023
Tel: 212-461-1919
Fax: 212-580-0898
Email: mjones at softwarefreedom.org
www.softwarefreedom.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAC9364C7.asc
Type: application/pgp-keys
Size: 6436 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151118/9fc995de/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAC9364C7.asc
Type: application/pgp-keys
Size: 6435 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151118/9fc995de/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151118/9fc995de/attachment.sig>

More information about the Freedombox-discuss mailing list