[Freedombox-discuss] my summary of yesterday's Hackfest

Melvin Carvalho melvincarvalho at gmail.com
Tue Mar 1 16:50:39 UTC 2011


On 1 March 2011 17:43, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 03/01/2011 10:51 AM, Matt Willsher wrote:
>> My point is rather: why not just use X.509 keys and certs and why use
>> GPG/PGP at all? X.509 is multi purpose, well adopted and well trusted.
>
> X.509 is certainly widely adopted, but that's about all you can say for it.
>
> well-trusted?  not so much. here's a few links to get you started:
>
>
> http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model
>
>  https://www.eff.org/observatory
>
>
> https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
>
>  http://www.cs.auckland.ac.nz/~pgut001/pubs/rsa2011.pdf
>
> And due to its single-issuer-per-cert design, X.509 is intrinsically
> antithetical to the decentralized model that freedombox needs to follow:
>
>  http://lair.fifthhorseman.net/~dkg/tls-centralization/
>
> To be clear, I'm just arguing against adoption of X.509 as a certificate
> format for the FreedomBox.
>
> My argument does not cover:
>
>  * message encryption and signature formats (e.g. PGP/MIME vs. S/MIME)
>  * transport layer tunnelling and authentication (e.g. TLS)
>
> these are separate decisions from the certificate formats, and should be
> made separately.

Why not use the same key pair to generate an X.509 cert and a GPG key,
and have the best of both worlds?

I think the GNOME keyring is doing some unification work in this area.

>
>        --dkg
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
>
>



More information about the Freedombox-discuss mailing list