[Freedombox-discuss] Steps for integrating in Monkeysphere to Freedombox

Adrian Gropper agropper at healthurl.com
Thu Dec 17 04:26:30 UTC 2015 

Should we be incorporating https://letsencrypt.org/ at the same time?

Adrian

On Wed, Dec 16, 2015 at 4:53 PM, Marc Jones <mjones at softwarefreedom.org>
wrote:

> Sunil and James,
>
> As we discussed before we want to get the SSL Client certificate auth
> integrated into freedombox for the 0.8 release. I put a proposal in to
> present a libreplanet in March and I think this would be a cool thing to
> show off.
>
> To get there though we have some work because we are kind of blazing a
> new trail. No one is doing anything like this right now. But I think it
> will be a great foundation to doing more stuff because it is a first
> step in having our freedomboxes know about PGP. (Maybe one day we can
> use PGP to allow FBXs to exchange data with each other. FBX backups
> perhaps!)
>
> To get this integrated I think we have all of the components we just
> need to pick a plan for an initial implementation. James suggested we do
> this as an experimental plinth module for 0.8. Which I think makes a lot
> of sense because until we get mod_auth_env in debian that will have to
> be installed manually. Plus I think this really is an experiment.
>
> There are lots of use cases based on weather or not the Freedombox owner
> has a PGP key already, but I think if we assume that the FBX owner has a
> PGP key already published in the WoT it makes our initial goal as simple
> as it can be. In this case, I think we need to do the following things
> at minimum to say we have this integrated in:
>
> 1) package up mod_auth_env to make it as simple as possible to install
> by hand (DONE by James)
>
> 2) Create monkeysphere plinth module that will:
>         * turn on Client Cert Auth
>                 * turn on mod-auth-env
>                 * turn on modgnutls client cert support as optional
>                 * turn on apache auth as optional
>                 * run msva
>         * Allow user to add what PGP keys for MSVA to trust for
> verification
> purposes based on email or fingerprint published in WoT
>
> 3) modify plinth to recognize Apache Auth username, but only if
> Mod_gnutls has verified the address. If there is not Apache Auth user
> then Plinth operates as it does now.
>
> 4) Give instructions on how to convert your PGP key into a Client SSL
> cert and load it into your browser
>
>
> I think the Apache Auth configuration should for now make the Client
> Cert option and the Apache user as optional so if no client cert is
> present it just falls through to Plinths current internal auth.
>
> What do you guys think of this as a first step? This would let use set
> up a freedombox that used SSL Client certs that you could let your
> friends access. I am thinking eventually having the official project
> website hosted on a freedombox that core devs can update by logging in
> via SSL client certs or something.
>
> After this there should be some quick wins like monkeysphere based SSH
> login, monkeysphere SSH key verification, making keys for users who dont
> already have PGP certs, etc.... We might even be able to use
> monkeysphere to provide authenticated SSL server certs for accessing
> FBXs via Tor hidden addresses since you still cant get certificate
> cartel SSL certs for .onion addresses.
>
> -Marc
>
> --
> Marc Jones
> Counsel
> Software Freedom Law Center
> 1995 Broadway, 17th Floor
> New York, NY 10023
> Tel: 212-461-1919
> Fax: 212-580-0898
> Email: mjones at softwarefreedom.org
> www.softwarefreedom.org
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>



-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151216/b5222073/attachment.html>

More information about the Freedombox-discuss mailing list