<div dir="ltr"><div>Should we be incorporating <a href="https://letsencrypt.org/">https://letsencrypt.org/</a> at the same time?<br><br></div>Adrian<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 16, 2015 at 4:53 PM, Marc Jones <span dir="ltr"><<a href="mailto:mjones@softwarefreedom.org" target="_blank">mjones@softwarefreedom.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sunil and James,<br>
<br>
As we discussed before we want to get the SSL Client certificate auth<br>
integrated into freedombox for the 0.8 release. I put a proposal in to<br>
present a libreplanet in March and I think this would be a cool thing to<br>
show off.<br>
<br>
To get there though we have some work because we are kind of blazing a<br>
new trail. No one is doing anything like this right now. But I think it<br>
will be a great foundation to doing more stuff because it is a first<br>
step in having our freedomboxes know about PGP. (Maybe one day we can<br>
use PGP to allow FBXs to exchange data with each other. FBX backups<br>
perhaps!)<br>
<br>
To get this integrated I think we have all of the components we just<br>
need to pick a plan for an initial implementation. James suggested we do<br>
this as an experimental plinth module for 0.8. Which I think makes a lot<br>
of sense because until we get mod_auth_env in debian that will have to<br>
be installed manually. Plus I think this really is an experiment.<br>
<br>
There are lots of use cases based on weather or not the Freedombox owner<br>
has a PGP key already, but I think if we assume that the FBX owner has a<br>
PGP key already published in the WoT it makes our initial goal as simple<br>
as it can be. In this case, I think we need to do the following things<br>
at minimum to say we have this integrated in:<br>
<br>
1) package up mod_auth_env to make it as simple as possible to install<br>
by hand (DONE by James)<br>
<br>
2) Create monkeysphere plinth module that will:<br>
    * turn on Client Cert Auth<br>
        * turn on mod-auth-env<br>
        * turn on modgnutls client cert support as optional<br>
        * turn on apache auth as optional<br>
        * run msva<br>
    * Allow user to add what PGP keys for MSVA to trust for verification<br>
purposes based on email or fingerprint published in WoT<br>
<br>
3) modify plinth to recognize Apache Auth username, but only if<br>
Mod_gnutls has verified the address. If there is not Apache Auth user<br>
then Plinth operates as it does now.<br>
<br>
4) Give instructions on how to convert your PGP key into a Client SSL<br>
cert and load it into your browser<br>
<br>
<br>
I think the Apache Auth configuration should for now make the Client<br>
Cert option and the Apache user as optional so if no client cert is<br>
present it just falls through to Plinths current internal auth.<br>
<br>
What do you guys think of this as a first step? This would let use set<br>
up a freedombox that used SSL Client certs that you could let your<br>
friends access. I am thinking eventually having the official project<br>
website hosted on a freedombox that core devs can update by logging in<br>
via SSL client certs or something.<br>
<br>
After this there should be some quick wins like monkeysphere based SSH<br>
login, monkeysphere SSH key verification, making keys for users who dont<br>
already have PGP certs, etc.... We might even be able to use<br>
monkeysphere to provide authenticated SSL server certs for accessing<br>
FBXs via Tor hidden addresses since you still cant get certificate<br>
cartel SSL certs for .onion addresses.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Marc<br>
<br>
--<br>
Marc Jones<br>
Counsel<br>
Software Freedom Law Center<br>
1995 Broadway, 17th Floor<br>
New York, NY 10023<br>
Tel: <a href="tel:212-461-1919" value="+12124611919">212-461-1919</a><br>
Fax: <a href="tel:212-580-0898" value="+12125800898">212-580-0898</a><br>
Email: <a href="mailto:mjones@softwarefreedom.org">mjones@softwarefreedom.org</a><br>
<a href="http://www.softwarefreedom.org" rel="noreferrer" target="_blank">www.softwarefreedom.org</a><br>
</font></span><br>_______________________________________________<br>
Freedombox-discuss mailing list<br>
<a href="mailto:Freedombox-discuss@lists.alioth.debian.org">Freedombox-discuss@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss" rel="noreferrer" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div>