[Freedombox-discuss] Announcing Santiago Release Candidate 1

Michael Rauch l15t at miranet.ch
Wed May 23 22:13:50 UTC 2012

On 05/21/2012 10:39 PM, Daniel Kahn Gillmor wrote:
> On 05/20/2012 10:00 AM, Michael Rauch wrote:
>>> Has anyone looked into using PGP keys as SSL certificates?
>> Monkeysphere [0] can create a pgp-cert based on the an existing X.509
>> cert by extracting its RSA key.
>> There's a post on Stackoverflow [1] about doing it the other way around,
>> creating a X.509 cert based on a pgp-cert.
>> 0: http://web.monkeysphere.info/doc/host-keys/
>> 1:
>> http://stackoverflow.com/questions/4061319/is-it-possible-to-create-an-ssl-certificate-out-of-a-pgp-public-private-key
>> 2:
>> https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
> RFC 6091 defines a way to use OpenPGP certificates instead of X.509
> certificates for TLS sessions:
>    https://tools.ietf.org/html/rfc6091
> You might also be interested in this discussion n the monkeysphere list
> about generating X.509 certificates that refer directly back to their
> OpenPGP origin:
>   https://lists.riseup.net/www/arc/monkeysphere/2011-03/msg00027.html

Thank you for posting the links.

I see the need for using X.509 certs mainly for serving HTTPS to clients 
like browsers. Other than that and whenever possible, I would choose to 
stay on the sunny side of decentralized WoT by sticking to OpenPGP.

What got me thinking about bridging OpenPGP and X.509 in the first place 
were Tor Hidden Services. As Nick mentioned earlier in this thread, a 
Tor Hidden Service .onion address could be used as some sort of 
'anonymous DynDNS'.

I'm not that familiar with Tor, but as I understand it, the client of a 
Tor Hidden Service gets a server-authenticated end-to-end encrypted 
circuit for TCP streams. This works with Tor specific proxies on both 
the client and server side and could be an inter-freedombox scenario.

However it's different if the client side doesn't run the Tor SOCKS 
proxy and reaches the Hidden Service over a www2onion proxy like 
tor2web.org. In this case, the Tor circuit is terminated at tor2web.org 
and server-auth is lost. If the Hidden Service would do a HTTP redirect 
to itself using its proper IP-Address, server-auth could be regained 
with HTTPS. And that's where we would be back in the monkeysphere and 
the problem of bridging PGP and X.509 Trustmodels in the browser.

Anyhow, this is just a thought and not meant as a solution proposal.


More information about the Freedombox-discuss mailing list