On 05/21/2012 10:39 PM, Daniel Kahn Gillmor wrote:
On 05/20/2012 10:00 AM, Michael Rauch wrote:
Has anyone looked into using PGP keys as SSL certificates?
Monkeysphere [0] can create a pgp-cert based on the an existing X.509
cert by extracting its RSA key.
There's a post on Stackoverflow [1] about doing it the other way around,
creating a X.509 cert based on a pgp-cert.
0: http://web.monkeysphere.info/doc/host-keys/
1:
http://stackoverflow.com/questions/4061319/is-it-possible-to-create-an-ssl-certificate-out-of-a-pgp-public-private-key
2:
https://svn.java.net/svn/sommer~svn/trunk/misc/FoafServer/pgpx509/src/net/java/dev/sommer/foafserver/utils/PgpX509Bridge.java
RFC 6091 defines a way to use OpenPGP certificates instead of X.509
certificates for TLS sessions:
https://tools.ietf.org/html/rfc6091
You might also be interested in this discussion n the monkeysphere list
about generating X.509 certificates that refer directly back to their
OpenPGP origin:
https://lists.riseup.net/www/arc/monkeysphere/2011-03/msg00027.html
Thank you for posting the links.
I see the need for using X.509 certs mainly for serving HTTPS to clients
like browsers. Other than that and whenever possible, I would choose to
stay on the sunny side of decentralized WoT by sticking to OpenPGP.
What got me thinking about bridging OpenPGP and X.509 in the first place
were Tor Hidden Services. As Nick mentioned earlier in this thread, a
Tor Hidden Service .onion address could be used as some sort of
'anonymous DynDNS'.
I'm not that familiar with Tor, but as I understand it, the client of a
Tor Hidden Service gets a server-authenticated end-to-end encrypted
circuit for TCP streams. This works with Tor specific proxies on both
the client and server side and could be an inter-freedombox scenario.
However it's different if the client side doesn't run the Tor SOCKS
proxy and reaches the Hidden Service over a www2onion proxy like
tor2web.org. In this case, the Tor circuit is terminated at tor2web.org
and server-auth is lost. If the Hidden Service would do a HTTP redirect
to itself using its proper IP-Address, server-auth could be regained
with HTTPS. And that's where we would be back in the monkeysphere and
the problem of bridging PGP and X.509 Trustmodels in the browser.
Anyhow, this is just a thought and not meant as a solution proposal.
Cheers,
Michael
_______________________________________________
Freedombox-discuss mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
