Fantastic, I'm currently at a p2p hackathon in Berlin, but I'll give it a try with my 4 Guruplugs when I get home..
Markus -- Project Danube: http://projectdanube.org Personal Data Ecosystem Consortium: http://personaldataecosystem.org/ On Tue, May 15, 2012 at 4:35 PM, Nick M. Daly <[email protected]> wrote: > Hi folks, I'm proud to announce the first release candidate (developer > preview) of the Santiago service. Santiago is designed to let users > negotiate services without third party interference. By sending OpenPGP > signed and encrypted messages over HTTPS (or other protocols) between > parties, I hope to reduce or even prevent MITM attacks. Santiago can > also use the Tor network as a proxy (with Python 2.7 or later), allowing > this negotiation to happen very quietly. > > Santiago currently lives at: > > https://github.com/nickdaly/plinth/tree/santiago > > Currently, it needs a *lot* of polish, but there's enough for a > technical demonstration and basic use. Try combining it with .onion > addresses. > > Testing it out it takes a bit of setup: > > - This was all tested on Debian Stable, so I know it works on Python > 2.6. Other versions may work differently. > > - You need a PGP key. You probably want to make a new password-less key > specifically for Santiago. > > Santiago's running as a service, and you won't always be there to > enter the password when the gnupg-agent times out and locks the > keyring again. At that point, Santiago will block while waiting for > (or fail without) the password. > > - You need [python-gnupg](http://code.google.com/p/python-gnupg). Make > sure it's either in your PYTHONPATH, or edit the start.sh and test.sh > files so that it can be found. > > - You need a ``production.cfg`` or ``test.cfg`` file with contents like > the following: > > [pgpprocessor] > keyid = (your 40-character key identifier) > > - You need an SSL certificate (the ``ssl-cert`` package is required). > Run the following as root, changing the group as necessary: > > # make-ssl-cert generate-default-snakeoil > # make-ssl-cert /usr/share/ssl-cert/ssleay.cnf santiago.crt > # chgrp 1000 santiago.crt > # chmod g+r santiago.crt > > See ``/usr/share/doc/apache2.2-common/README.Debian.gz`` for more > details. > > - Either set up a Tor listener on port 8118, or set the proxy port to > "None" or 80, if you're running Python 2.7 or later. > > - Run ``make`` once in the Plinth root directory to create the config > files you need. > > - Running ``bash start.sh`` in a console will set up a Santiago service > that communicates with itself. You can see the Santiago service learn > about the "https://somestuff"; location (it'll appear in the > "consuming" dictionary) if you navigate to: > > https://localhost:8080/query?service=santiago&host=(your key ID) > > It'll give you a warning about an untrusted certificate, but since > you just made that certificate, ignore the warning. > > After you load the page, you won't see anything. That's by design. > You'll need to watch the debug messages (look for one reading > "Success!") or Ctrl+C out of the server to drop into PDB where you can > examine the santiago.consuming dictionary. > > Technically, it works, but with a fair number of caveats: > > - Python doesn't currently verify the HTTPS certificates used. We still > use the OpenPGP key for verification, but it'd be helpful. > > - It'd also be nice to munge the PGP key into the HTTPS certificate, > requiring only a single identity document to secure all the > communications. > > - It doesn't yet play well with others (you can't read the hosting and > consuming dictionaries from other processes very well). Please let me > know your ideas for fixing this. > > - It needs better state storage and recovery. Doing this well is my > highest priority right now (the blocker for the 0.2 release). > > - The current start methods appear to block, so new protocols might not > load when you expect them to. > > - It needs more tests, there are still a good number of behaviors that > work but aren't verified. > > - As you can see above, setup isn't easy. > > Future directions: > > - Request proxying: If Alice can't reach Bob, but they both can reach > Carl, Carl can pass the messages for them. > > - Not-braindead state storage and restoration. > > Please test it out and let me know your thoughts. I'll make it easier > to handle and use over the coming days and weeks, but I just wanted to > get it out the door now that it has successfully integrated PGP. If you > have any changes you'd like to see, at all, please send me a patch or > fork the repository. > > James, you can pull it now. :) > > Nick > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss >
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
