[Freedombox-discuss] [Freedom Box] Finding your FB box on the network

Jonas Smedegaard dr at jones.dk
Fri Oct 15 10:00:38 UTC 2010 

On Fri, Oct 15, 2010 at 10:15:09AM +0200, Christian Brædstrup wrote:
>>
>> I wonder where you spent your 20 minutes.  Googling for "WebID 
>> openssl" (to emphasize pages describing how to generate the 
>> WebID-compatible certificates on Linux) gives the following as one of 
>> the first hits: http://docs.openlinksw.com/virtuoso/vfoafssl.html
>>
>> You only need to follow section 17.3.1 to generate the key, but I 
>> suggest you read the introduction in 17.3 too.
>>
>
>Googled it and found the first website that looked good:
>http://esw.w3.org/WebID

Yeah - I thought I'd mentioned above already earlier on - it is the 
(old?) canonical intro page for WebID, but does not contain practical 
info on how to generate one.

>I will take a look at the links above. I agree with you that webID 
>would be a great feature but before having tryed to set it up my self I 
>don't know how easy it is.

Makes sense.  Great that you at least are convinced to try a little 
harder. :-D

I now adapted my CSR script used for cacert.org certificates, to support 
injecting non-NDS URNs and thus support WebID type certificates: 
http://source.jones.dk/?p=bin.git;a=blob_plain;f=localcsr

There are tons of documentations out there on using OpenSSL. Here is one 
that seems to cover both self-signing and use of CSR: 
http://www.herongyang.com/crypto/OpenSSL_Signing_keytool_CSR.html

My script above should be easy to hack into creating a self-signed cert 
instead of a CSR: I haven't tried but suspect it only need replacing 
line 116 with that documented here: 
http://www.herongyang.com/crypto/OpenSSL_Signing_keytool_CSR_2.html


>2010/10/15 Philip Hands <phil at hands.com>
>
>> On Thu, 14 Oct 2010 22:57:18 +0200, Christian Brædstrup <
>> linuxchristian at gmail.com> wrote:
>> > Bert, I don't think you can use the debian installer to install from a
>> > Live-CD.
>>
>> I think he was saying "Why use a live CD to install, when
>> debian-installer will do the job?"  -- If so, I agree with him.
>>
>>
>And I agree with the both of you but as I can see you can't use
>debian-installer with the live CD.

I suspect a Live-CD is a bad choice for embedded devices.

If it helps you dive into other parts of this project quickly then 
great, but beware if inventing routines tied to this specific 
bootstrapping method.

Hands-off is layering on top of the *generic* debian-installer. Most of 
what hands-off does should be possible to throw on a USB stick or some 
other media. So quite flexible in ways to deploy:

   * Choose a way to bootstrap the installer itself
     - CD
     - USB stick
     - Netboot
   * Choose a way to inject install customizations
     - Web (like Hands-off)
     - USB stick (can be same as bootstrap stick)
     - CD

The bootstrapping is standard unaltered Debian code, so if tampered with 
by evil-doers then the whole Debian community is equally affected by 
that security breach.

The install customizations are plain text, so can be proofread 
relatively easily.


In comparison, I suspect that your intended approach is a custom LiveCD, 
which means a large custom binary chunk. Bad for security!

Sure we can GPG sign the binary chunk. But we still shift from the 
thousands of eyeballs of Debian developers + millions of eyeballs of 
Debian users, to the much fewer eyeballs of FreedomBox developers/users.


Regards,

  - Jonas

-- 
  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101015/f3c69836/attachment.pgp>

More information about the Freedombox-discuss mailing list