-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/05/12 21:39, Daniel Kahn Gillmor wrote: > RFC 6091 defines a way to use OpenPGP certificates instead of > X.509 certificates for TLS sessions: > > https://tools.ietf.org/html/rfc6091 > > You might also be interested in this discussion n the monkeysphere > list about generating X.509 certificates that refer directly back > to their OpenPGP origin: > > https://lists.riseup.net/www/arc/monkeysphere/2011-03/msg00027.html
This > may be outside the Freedom Box's threat model, in which case it's totally fine to leave this problem unsolved, but it seems to me that an ISP or government could write a filter rule to block PGP-authenticated TLS traffic without blocking CA-authenticated TLS traffic. If I remember right, the Iranian government did something similar to distinguish Tor traffic from other TLS traffic by looking at the certificates exchanged during the TLS handshake. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPuq5uAAoJEBEET9GfxSfM/asH/iIYEZTWW0BP5oWOXaCoMJWd C9WOx6V2LRuwRc0mGbqZ9MJI9N23K6dfZ8qy79Nwyp1jomwVW6mp8eUTF56xNkPw v6AsxhHwBIrmtvpUZzbg704iDjXlOv+I6BlDFcD01b5bUAMOL4mD4btq1uZuB6jD 7jrNQ12fLHNabS6S83s/jZbb8ds8XW9etiahsw/Yvz8CPEEzNbaFh3rCrvcb6tLN xRbbU+9LsPu/U9tGNqeKV1vkjkwXOqtYr35xZMFJAas8PIo2hTcZYCiVIOi3FOvg DOlHY8MJ+T+KnsLupmrDsglG98zrc0479oiJWkJb/dBt/Ofx6QST2bA1+bJlO+M= =SVHI -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
