[Freedombox-discuss] my summary of yesterday's Hackfest
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 1 17:23:27 UTC 2011
On 03/01/2011 12:08 PM, Melvin Carvalho wrote:
> On 1 March 2011 18:00, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> I have no objections to using X.509 certificates as simple, "dummy"
>> public-key carriers (as soon as i can find the time, i hope to publish
>> some work that encourages this use case, in fact).
>>
>> But I do have a strong objection to contaminating the Freedom Box with
>> the flawed certificate authority model currently used by the
>> "widely-adopted" mass of X.509 software.
>
> Self sign your X.509 and you dont need a CA.
Right; thereby discarding the flawed CA model, and using the certificate
as a dummy public-key carrier. The problem with this is that we still
have no way of verifying/revoking these keys. This is where the
certificate format comes in, and is the place i think FreedomBox should
use OpenPGP.
>>> I think the GNOME keyring is doing some unification work in this area.
>>
>> i'd be interested to see a pointer to this work.
>
> http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf
thanks, i'm glad to see that they're on the right track. pkcs#11 is
good for handling secret keys. unfortunately, the library spec is
pretty weak for dealing with alternate certification mechanisms. I'll
get in touch with these folks to see if there's a way to collaborate.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110301/dcbf84ba/attachment-0001.pgp>
More information about the Freedombox-discuss
mailing list