After further thought: With a CA on each freedombox we could have something like this
Create a CA using (options used could be changed) openssl genrsa -des3 -out "Freedombox CA.key" 4096 openssl req -new -x509 -days 3650 -key "Freedombox CA.key" -out "Freedombox CA.pem" Possibly replace any snakeoil keys created by Debian (Postfix uses 2048 bits, could use 4096 bits if Postfix is the MTA used). Include in Plinth an option for a freedom box to obtain ssl keys with the Freedombox CA. No interface to an external website, openssl can do this. The public key of the Freedombox CA could be published, to be imported into someone else's browser, could be a problem with multiple Freedombox CA's with the same name. Possibly a paranoid option to rotate the ssl keys on the freedom box running manually and/or as a cron job (Now doing this daily with one of my mailservers). On Thu, 2013-09-12 at 12:05 +0200, Jonas Smedegaard wrote: > Quoting Keith (2013-09-12 12:43:28) > > Anyone for setting up a Freedombox CA? > > This could be added to the freedombox as a trusted CA and usable for > > freedombox to freedombox TLS only. > > Please update subject field to reflect when, well, changing subject. > > It could, if it is deemed sensible to trust an external entity separate > from other external entities with a lot more eyeballs on them. > > Or, if your idea is that "we" run the CA, I am curious how "we" as a > non-hierarchical body deal with such a hierarchical structure as a CA. > > Personally I would prefer this sliding scale: > > common CAs -> CAcert.org -> no CAs > > I.e. I see no need for creating a new CA. But am open to (at least try > to) understand the reasoning behind your idea. :-) > > > - Jonas > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
