[cryptography] trustable self-signed certs in a P2P environment (freedombox)

Adam Back adam at cypherspace.org
Wed Nov 30 15:11:20 EST 2011


Its rather common for people with load balancers and lots of servers serving
the same domain to have multiple certs.

Same for certs to change to a new CA before expiry.  (Probably switched to a
new CA when adding more servers to the load balanced web server farm).

I installed cert patrol and the popups about this are frequent.  Any
solution that hopes for easy interim deployment needs to work with this.

Adam

On Wed, Nov 30, 2011 at 12:05:29PM -0800, Peter Eckersley wrote:
>Perspectives and Convergence are one effort to do this (what key do other
>people see on this server?).  MonkeySphere is another (which humans in a web
>of trust will vouch that this is the right key for this server?).
>
>Perspectives/Convergence suffer from the problem that there is no way to tell
>the difference between "the server was reinstalled and now has a new key" and
>"the whole world sees an attack in progress".  The former is more common but
>the second can also occurr.
>
>MonkeySphere has the problem that the web of trust has to be enormous before
>it's likely that you can build a chain to the admins of all of the websites
>you visit.
>
>On Wed, Nov 30, 2011 at 01:30:03PM +0100, Eugen Leitl wrote:
>>
>> I presume many here are aware of the Eben Moglen-started
>> FreedomBox initiative, which sets out to build a Debian
>> distro for lplug computers and similar which will package
>> many existing tools for the end result of an end-user
>> owned and operated, anonymizing and censorship-resistant
>> infrastructure.
>>
>> One of the problems I did not see well-addressed yet is
>> infrastructure for a cert trust network, which uses social
>> graph information (FreedomBox is supposed to package a P2P
>> alternative to Facebook & Co) for cert fingerprint validation.
>>
>> Is anyone aware of existing code which caches SSL cert
>> fingerprints and alerts when one suddenly changes, informing
>> of a potential MITM in progress?
>>
>> Thanks.
>>
>> --
>> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>> ______________________________________________________________
>> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
>> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>
>-- 
>Peter Eckersley                            pde at eff.org
>Technology Projects Director      Tel  +1 415 436 9333 x131
>Electronic Frontier Foundation    Fax  +1 415 436 9993
>_______________________________________________
>cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list