On Thu, Sep 12, 2013 at 09:02:51PM +0200, Anders Jackson wrote: > > > Isn't this just a new snake oil certificate? I would like a simple GUI > to > > > > You say that like it was a bad thing. > > Depends, but yes mostly it is. Try to distribute it.
Secrets should be generated on device, and not leave the device. In fact, we need an open hardware auditable TPM which does not allow the secrets to be extracted, and allows basic crypto operations to be conducted onboard, outside of OS's access. Trusting central authorities with doing the right thing is a single point of failure. Trust should be built on people you've known for a long time. Since recently it has been possible to build distributed networks where trust is a function of network quorum. > > > add CAcert.org certificates, or from any other CA. > > > > The CA model is dead. You might have missed the memo. > > No, it isn't. It just smells like it when used badly. The problem is that it's the default. > > > Also generate certificate keys that can be imported to web browsers and > > > used to log in on your freedombox web interface. One for each user, and > > > easy to remove. > > > > You can import your own CA into the browser, which get > > rid of the warnings. > > Yes, and? This means that in a network of friends, running a trusted hardware like Freedombox, each with their own onboard CA, the CA-issued certs no longer generate a warning in a stock browser without plugins, once imported. That's way insufficient, but it's a first building block. > > > I think there are work on using PGP keys useful in TLS (SSL), anyone > know > > > > SSL/TLS no longer inspire confidence. Messy implementations like > > OpenSSL even less. > > Well, SSL has been dead for a long time and are still used. Don't use it! > > TLS isn't a problem, unless you use early versions. Don't use those. I wish that such notions would be widely widespread. Once Snowden's leak spigot dries up it will be business as usual in a few months, outside of a small circle of people producing tools the majority is unaware of, and doesn't understand the need for. Until the next major leak, lather, rinse, repeat.
signature.asc
Description: Digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
