[Freedombox-discuss] Announcing Santiago Release Candidate 1
Michael Rauch
l15t at miranet.ch
Wed May 23 22:13:50 UTC 2012
On 05/21/2012 10:39 PM, Daniel Kahn Gillmor wrote:
> On 05/20/2012 10:00 AM, Michael Rauch wrote:
>>> Has anyone looked into using PGP keys as SSL certificates?
>>
>> Monkeysphere [0] can create a pgp-cert based on the an existing X.509
>> cert by extracting its RSA key.
>>
>> There's a post on Stackoverflow [1] about doing it the other way around,
>> creating a X.509 cert based on a pgp-cert.
>>
>> 0: http://web.monkeysphere.info/doc/host-keys/
>> 1:
>> http://stackoverflow.com/questions/4061319/is-it-possible-to-create-an-ssl-certificate-out-of-a-pgp-public-private-key
>>
>> 2:
>> https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
>
> RFC 6091 defines a way to use OpenPGP certificates instead of X.509
> certificates for TLS sessions:
>
> https://tools.ietf.org/html/rfc6091
>
> You might also be interested in this discussion n the monkeysphere list
> about generating X.509 certificates that refer directly back to their
> OpenPGP origin:
>
> https://lists.riseup.net/www/arc/monkeysphere/2011-03/msg00027.html
>
Thank you for posting the links.
I see the need for using X.509 certs mainly for serving HTTPS to clients
like browsers. Other than that and whenever possible, I would choose to
stay on the sunny side of decentralized WoT by sticking to OpenPGP.
What got me thinking about bridging OpenPGP and X.509 in the first place
were Tor Hidden Services. As Nick mentioned earlier in this thread, a
Tor Hidden Service .onion address could be used as some sort of
'anonymous DynDNS'.
I'm not that familiar with Tor, but as I understand it, the client of a
Tor Hidden Service gets a server-authenticated end-to-end encrypted
circuit for TCP streams. This works with Tor specific proxies on both
the client and server side and could be an inter-freedombox scenario.
However it's different if the client side doesn't run the Tor SOCKS
proxy and reaches the Hidden Service over a www2onion proxy like
tor2web.org. In this case, the Tor circuit is terminated at tor2web.org
and server-auth is lost. If the Hidden Service would do a HTTP redirect
to itself using its proper IP-Address, server-auth could be regained
with HTTPS. And that's where we would be back in the monkeysphere and
the problem of bridging PGP and X.509 Trustmodels in the browser.
Anyhow, this is just a thought and not meant as a solution proposal.
Cheers,
Michael
More information about the Freedombox-discuss
mailing list