[Freedombox-discuss] [Freedom Box] Finding your FB box on the network
Jonas Smedegaard
dr at jones.dk
Thu Oct 14 21:37:55 UTC 2010
On Thu, Oct 14, 2010 at 10:57:18PM +0200, Christian Brædstrup wrote:
>Here our existing debian system is the live system.
>
>Yes, I agree that my solution is a bit complicated but not more then
>settting up a webID. I have tryed to get a webID but I after using 20
>minuts I don't want to spend more time trying to get one and I can't
>see how a cracked computer with a webID on it would secure the user
>from a intruder overtaking the FB.
Booting a debian-live and deboostrapping from there is sane.
The problem comes when booting a debian-live, then accessing it via the
network (not directly attached keyboard and screen) and debootstrapping
from there.
You are right that when the system is cracked, the game is over. WebID
means two-way SSL to help avoid cracking:
Using SSL secures against evil-doers sniffing communication.
Using Client-side SSL certificate allows the FreedomBox to verify that
someone accessing the system later is the same as the one requesting the
reset initially. This protects against the FreedomBox participating in
impersonating by evil-doers.
There is still the remote possibility of an evil-doer rerouting traffic
and impersonating the FreedomBox using a different host, which cannot be
protected against by the FreedomBox.
WebID is a client-side SSL certificate. It is _also_ something more and
new and fancy and not very well tested - but that is irrelevant for the
purpose of initially bonding the user to her FreedomBox as fast and as
solid as possible.
>If you guys can make webID dirt easy to use and not depend on someone
>having to create a login on a third party website to install there box
>then I am all for it. My stand is that the fewer accounts the user
>needs to create and third part software he needs to install the better
>the FB will be. If the software needs to be easy to use then we need to
>use as much existing user infrastructure as posible.
I wonder where you spent your 20 minutes. Googling for "WebID openssl"
(to emphasize pages describing how to generate the WebID-compatible
certificates on Linux) gives the following as one of the first hits:
http://docs.openlinksw.com/virtuoso/vfoafssl.html
You only need to follow section 17.3.1 to generate the key, but I
suggest you read the introduction in 17.3 too.
>Now having looked a little bit more at Zeroconf I think it is a fine
>solution. I will try to look into creating a system that boots with
>Zeroconf support.
Great
>Is anyone else working on that?
Not me...
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101014/1fd0fe9b/attachment.pgp>
More information about the Freedombox-discuss
mailing list