[Freedombox-discuss] Freedombox CA

Eugen Leitl eugen@leitl.org
Thu Sep 12 23:02:42 PDT 2013


----- Forwarded message from Jonathan Wilkes <jancsika@yahoo.com> -----

Date: Thu, 12 Sep 2013 12:19:59 -0400
From: Jonathan Wilkes <jancsika@yahoo.com>
To: freedombox-discuss@lists.alioth.debian.org
Subject: Re: [Freedombox-discuss] Freedombox CA
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8

On 09/12/2013 10:06 AM, Keith wrote:
> After further thought:
> 
> With a CA on each freedombox we could have something like this
> 
> Create a CA using (options used could be changed)
> openssl genrsa -des3 -out "Freedombox CA.key" 4096
> openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out
> "Freedombox CA.pem"
> 
> Possibly replace any snakeoil keys created by Debian (Postfix uses 2048
> bits, could use 4096 bits if Postfix is the MTA used).
> 
> Include in Plinth an option for a freedom box to obtain ssl keys with
> the Freedombox CA. No interface to an external website, openssl can do
> this.
> 
> The public key of the Freedombox CA could be published, to be imported
> into someone else's browser, could be a problem with multiple Freedombox
> CA's with the same name.
> 
> Possibly a paranoid option to rotate the ssl keys on the freedom box
> running manually and/or as a cron job (Now doing this daily with one of
> my mailservers).

Hi Keith,
     In short, the entire white-hat security community guessed what
"prohibitively expensive" meant.  They guessed too low.  Now we
know, and everyone (including the white-hats and the surveillance
industry) are scrambling to recover from the revelation.

Some are thinking of it as the tinfoil hats coming off.  I think of it as
tinfoil hats appearing on every head of every person who has a device
connected to the internet.  I like it that way because "paranoid" becomes
a synonym for "human", and all those previous "paranoid options" that
are cordoned off with scant documentation suddenly become "bad
human interfaces" which were prohibitively complicated to have actually
provided security or privacy to the user when it turned out that they
needed it.

So to me, "paranoid option" now either means a) core feature which should
be implemented cleanly, by default, or b) a dead coal mine canary that
says the
interface itself is too complicated, so start over and rethink it.

Best,
Jonathan

_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list