----- Forwarded message from Jonathan Wilkes <jancsika@yahoo.com> ----- Date: Thu, 12 Sep 2013 12:19:59 -0400 From: Jonathan Wilkes <jancsika@yahoo.com> To: freedombox-discuss@lists.alioth.debian.org Subject: Re: [Freedombox-discuss] Freedombox CA User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 On 09/12/2013 10:06 AM, Keith wrote:
After further thought:
With a CA on each freedombox we could have something like this
Create a CA using (options used could be changed) openssl genrsa -des3 -out "Freedombox CA.key" 4096 openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out "Freedombox CA.pem"
Possibly replace any snakeoil keys created by Debian (Postfix uses 2048 bits, could use 4096 bits if Postfix is the MTA used).
Include in Plinth an option for a freedom box to obtain ssl keys with the Freedombox CA. No interface to an external website, openssl can do this.
The public key of the Freedombox CA could be published, to be imported into someone else's browser, could be a problem with multiple Freedombox CA's with the same name.
Possibly a paranoid option to rotate the ssl keys on the freedom box running manually and/or as a cron job (Now doing this daily with one of my mailservers).
Hi Keith, In short, the entire white-hat security community guessed what "prohibitively expensive" meant. They guessed too low. Now we know, and everyone (including the white-hats and the surveillance industry) are scrambling to recover from the revelation. Some are thinking of it as the tinfoil hats coming off. I think of it as tinfoil hats appearing on every head of every person who has a device connected to the internet. I like it that way because "paranoid" becomes a synonym for "human", and all those previous "paranoid options" that are cordoned off with scant documentation suddenly become "bad human interfaces" which were prohibitively complicated to have actually provided security or privacy to the user when it turned out that they needed it. So to me, "paranoid option" now either means a) core feature which should be implemented cleanly, by default, or b) a dead coal mine canary that says the interface itself is too complicated, so start over and rethink it. Best, Jonathan _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5