[cryptography] trustable self-signed certs in a P2P environment (freedombox)

Adam Back adam at cypherspace.org
Wed Nov 30 15:11:20 EST 2011

Its rather common for people with load balancers and lots of servers serving
the same domain to have multiple certs.

Same for certs to change to a new CA before expiry.  (Probably switched to a
new CA when adding more servers to the load balanced web server farm).

I installed cert patrol and the popups about this are frequent.  Any
solution that hopes for easy interim deployment needs to work with this.


On Wed, Nov 30, 2011 at 12:05:29PM -0800, Peter Eckersley wrote:
>Perspectives and Convergence are one effort to do this (what key do other
>people see on this server?).  MonkeySphere is another (which humans in a web
>of trust will vouch that this is the right key for this server?).
>Perspectives/Convergence suffer from the problem that there is no way to tell
>the difference between "the server was reinstalled and now has a new key" and
>"the whole world sees an attack in progress".  The former is more common but
>the second can also occurr.
>MonkeySphere has the problem that the web of trust has to be enormous before
>it's likely that you can build a chain to the admins of all of the websites
>you visit.
>On Wed, Nov 30, 2011 at 01:30:03PM +0100, Eugen Leitl wrote:
>> I presume many here are aware of the Eben Moglen-started
>> FreedomBox initiative, which sets out to build a Debian
>> distro for lplug computers and similar which will package
>> many existing tools for the end result of an end-user
>> owned and operated, anonymizing and censorship-resistant
>> infrastructure.
>> One of the problems I did not see well-addressed yet is
>> infrastructure for a cert trust network, which uses social
>> graph information (FreedomBox is supposed to package a P2P
>> alternative to Facebook & Co) for cert fingerprint validation.
>> Is anyone aware of existing code which caches SSL cert
>> fingerprints and alerts when one suddenly changes, informing
>> of a potential MITM in progress?
>> Thanks.
>> --
>> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>> ______________________________________________________________
>> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
>> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>Peter Eckersley                            pde at eff.org
>Technology Projects Director      Tel  +1 415 436 9333 x131
>Electronic Frontier Foundation    Fax  +1 415 436 9993
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list