[Freedombox-discuss] Announcing Santiago Release Candidate 1
Michael Rogers
michael at briarproject.org
Mon May 21 21:06:54 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21/05/12 21:39, Daniel Kahn Gillmor wrote:
> RFC 6091 defines a way to use OpenPGP certificates instead of
> X.509 certificates for TLS sessions:
>
> https://tools.ietf.org/html/rfc6091
>
> You might also be interested in this discussion n the monkeysphere
> list about generating X.509 certificates that refer directly back
> to their OpenPGP origin:
>
> https://lists.riseup.net/www/arc/monkeysphere/2011-03/msg00027.html
This
>
may be outside the Freedom Box's threat model, in which case it's
totally fine to leave this problem unsolved, but it seems to me that
an ISP or government could write a filter rule to block
PGP-authenticated TLS traffic without blocking CA-authenticated TLS
traffic.
If I remember right, the Iranian government did something similar to
distinguish Tor traffic from other TLS traffic by looking at the
certificates exchanged during the TLS handshake.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPuq5uAAoJEBEET9GfxSfM/asH/iIYEZTWW0BP5oWOXaCoMJWd
C9WOx6V2LRuwRc0mGbqZ9MJI9N23K6dfZ8qy79Nwyp1jomwVW6mp8eUTF56xNkPw
v6AsxhHwBIrmtvpUZzbg704iDjXlOv+I6BlDFcD01b5bUAMOL4mD4btq1uZuB6jD
7jrNQ12fLHNabS6S83s/jZbb8ds8XW9etiahsw/Yvz8CPEEzNbaFh3rCrvcb6tLN
xRbbU+9LsPu/U9tGNqeKV1vkjkwXOqtYr35xZMFJAas8PIo2hTcZYCiVIOi3FOvg
DOlHY8MJ+T+KnsLupmrDsglG98zrc0479oiJWkJb/dBt/Ofx6QST2bA1+bJlO+M=
=SVHI
-----END PGP SIGNATURE-----
More information about the Freedombox-discuss
mailing list