[Freedombox-discuss] Freedombox CA
Anders Jackson
anders.jackson at gmail.com
Thu Sep 12 13:22:25 UTC 2013
Interesting.
Den 12 sep 2013 15:09 skrev "Keith" <keith at fernie.eu>:
>
> After further thought:
>
> With a CA on each freedombox we could have something like this
>
> Create a CA using (options used could be changed)
> openssl genrsa -des3 -out "Freedombox CA.key" 4096
> openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
> "Freedombox CA.pem"
Isn't this just a new snake oil certificate? I would like a simple GUI to
add CAcert.org certificates, or from any other CA.
Also generate certificate keys that can be imported to web browsers and
used to log in on your freedombox web interface. One for each user, and
easy to remove.
I think there are work on using PGP keys useful in TLS (SSL), anyone know
the name? Think that would more useful and it would be more along your
idea, I think.
> Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
> bits, could use 4096 bits if Postfix is the MTA used).
>
> Include in Plinth an option for a freedom box to obtain ssl keys with
> the Freedombox CA. No interface to an external website, openssl can do
> this.
>
> The public key of the Freedombox CA could be published, to be imported
> into someone else's browser, could be a problem with multiple Freedombox
> CA's with the same name.
>
> Possibly a paranoid option to rotate the ssl keys on the freedom box
> running manually and/or as a cron job (Now doing this daily with one of
> my mailservers).
>
>
> On Thu, 2013-09-12 at 12:05 +0200, Jonas Smedegaard wrote:
> > Quoting Keith (2013-09-12 12:43:28)
> > > Anyone for setting up a Freedombox CA?
> > > This could be added to the freedombox as a trusted CA and usable for
> > > freedombox to freedombox TLS only.
> >
> > Please update subject field to reflect when, well, changing subject.
> >
> > It could, if it is deemed sensible to trust an external entity separate
> > from other external entities with a lot more eyeballs on them.
> >
> > Or, if your idea is that "we" run the CA, I am curious how "we" as a
> > non-hierarchical body deal with such a hierarchical structure as a CA.
> >
> > Personally I would prefer this sliding scale:
> >
> > common CAs -> CAcert.org -> no CAs
> >
> > I.e. I see no need for creating a new CA. But am open to (at least try
> > to) understand the reasoning behind your idea. :-)
> >
> >
> > - Jonas
> >
> > _______________________________________________
> > Freedombox-discuss mailing list
> > Freedombox-discuss at lists.alioth.debian.org
> >
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130912/2ff0427f/attachment-0001.html>
More information about the Freedombox-discuss
mailing list