[Freedombox-discuss] my summary of yesterday's Hackfest

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 1 17:00:36 UTC 2011


On 03/01/2011 11:50 AM, Melvin Carvalho wrote:
> Why not use the same key pair to generate an X.509 cert and a GPG key,
> and have the best of both worlds?

Sure, you can generate an arbitrary number of X.509 certificate requests
from a given key, whether or not that key has been used to create an
OpenPGP certificate.  Who will sign those certificate requests?  Which
certifiers should the FreedomBox trust?

The question for this list is whether FreedomBox should be relying on
X.509 certificates for authentication, or whether it should prefer a
certificate model that was designed from the ground up to be
decentralized (as OpenPGP is).

I have no objections to using X.509 certificates as simple, "dummy"
public-key carriers (as soon as i can find the time, i hope to publish
some work that encourages this use case, in fact).

But I do have a strong objection to contaminating the Freedom Box with
the flawed certificate authority model currently used by the
"widely-adopted" mass of X.509 software.

> I think the GNOME keyring is doing some unification work in this area.

i'd be interested to see a pointer to this work.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110301/0eb2a411/attachment.pgp>


More information about the Freedombox-discuss mailing list