Discuss mailing list

[postmaster <postmaster AT welcome.factoryfouroh.net>]

Rouben, I have a few thoughts.

I am designing a political, manufacturing, etc. grassroots movements 
which shall in time build small, local nodes and grow into thousand-node 
networks. In nutshell, the cost savings in DNS structure, GNU/Linux 
software, home-hosted VMs via VPN, decentralized protocols, nomadic 
identity, self-trained owner-operators and administrators allow for a 
practically zero cost infrastructure and unlimited growth for small 
purpose-built nodes.

The BIGGEST obstacle is SSL - currently YunoHost relies on LetsEncrypt 
and they are not going to consider anything before there is proof of 
some huge user base needing it. Others like Virtualmin are more flexible 
- but they require real administrative work. So for now a 1-hour 
effortless node install is only possible on ICANN using YunoHost. Doing 
the same on OpenNIC is still expert work.

If anyone put a former project together to bring a workable solution in 
place I am willing to donate some money monthly - my technical knowledge 
is not sufficient for this level of work, otherwise I would happily 
donate work instead. At this point money is the only thing I have that 
worth anything.
This is pretty important but fortunately not that urgent..

You asked for thoughts, so I gave you my motivations for sticking around 
OpenNIC.
Here are two of my growing grassroots, so you may see what I mean...
https://public.gop-illinois.us/dokuwiki
https://welcome.factoryfouroh.net/dokuwiki
I do not post this to plug them, just to show what I am tying to do.

Cheers,
Sandor



On 2020-05-22 06:25, Rouben wrote:
> Hi,
>
> Since you bring up TOFU (Trust On First Use), I wanted to also chime
> in on the whole TLS cert situation.
>
> I think some things have changed since we last looked at it.
>
> 1. There are more ACME service (not just client) implementations
> available than before. For example, Smallstep CA seems like an easier
> to manage implementation that Let’s Encrypt’s boulder:
> https://smallstep.com/certificates/
>
> 2. As part of implementing a DNS change, we could ask our users to
> also import our root certs.
>
> 3. If we use ACME, we can set things up as follows (rough sketch, just
> off the top of my head):
>
> a) root cert - private key on a restricted machine or the CA
> operator’s hardware token like a YubiKey. The public key/self-signed
> cert for this one is published on opennic site and is what we ask our
> users to trust when they deploy our DNS
>
> b) intermediate - valid for 6 months, needs to be semi-automatically
> renewed (resigned) by (a) - CA operator does this with their hardware
> token/Yubikey on a secure, dedicated, offline machine.
>
> c) client certs - valid for 1-3 months, requested and issued
> exclusively through ACME protocol, signed by (b). Private key for (b)
> lives on ACME server.
>
> What are your thoughts?
>
> Rouben
>
> On Fri, May 22, 2020 at 06:01 Erich Eckner <opennic AT eckner.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hi,
> >
> > I know, that creating properly trusted ssl certificates for opennic
> > domains is (currently) impossible. But I'd still like to urge the
> > operator
> > of reg.libre to add the reg.libre vhost backend also on https (on
> > any
> > certificate). Because, currently, one is forced to use
> > http://reg.libre,
> > because https://reg.libre brings up the content from a different
> > vhost
> > (after ignoring to the unavoidable certificate warning/error).
> >
> > I think, using https with a broken certificate is still safer than
> > using
> > no https at all - it withstands passive eavesdropping, and also one
> > can
> > use tofu to pin the certificate after first use.
> >
> > btw: This might be true for other sites within opennic's namespace,
> > so
> > maybe everyone running sites which handle secret data (e.g. login
> > credentials) may want to check their config too :-)
> >
> > cheers,
> > Erich
> >
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7Hos4ACgkQCu7JB1Xa
> > e1q43w//TcAlrpHK6oiIyGsJMYbqt09vCYJlHNEKPDORllGqWsM9z349rO6GtJLo
> > JQKevfO+xUSVC1SfK7v+KtnFHKjzybId1lV2Zh9PzYTIJn9Z1ix/xFwfkgpYhY7Y
> > YRtDfCoNBA5Z70qXzlSBm7Qx1FARwskdu4VCbQhyCKgYPjWEiJPxANUwuattUBqC
> > U2OamleBSRPqCdkxFiX3sNmljzuug1Vxbu+N90qLcnA4TIDeUVZS6D5JaP05+UCh
> > oY333+oU2CEymY85YncIRbvf1hu2MPg1bwrwjYU7lQkSXrSTT48jjwwduzeobiO6
> > aUPA7403iWTBQex2b+MsriJWJ4XwldbPM2keFUwzORm2QJ5cUdxMftblCc88P/Bn
> > p9ch6Pv8CnO6djndPiK4yvz3PJNb5xFURJttknjsy0Vy+Jiw7AlUwJ4Dvt49zdj5
> > 96SdM80wleL9JDjreXi9W0w/DjCTIHHFrt3greYTc7nb1bFtQ3Xanf8DBOD8YwPX
> > rUHS68MORsbc8+5wN0ZQSOv2/y2x6X9a4rbCqwTQQMzs5WEfUsMwWd+w0fxf+RFe
> > Hsi9ucXEoVuT24R6eTXZWTuUlCgSpTeRHzku9t2l6DfycvZGeXzQh/bQoDnCBenu
> > m2M/TDOia1EaTgngqzOqdg523MUXyyaPD3TFtCkbc2Gn7s7EAxg=
> > =/ldp
> > -----END PGP SIGNATURE-----
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing
> > discuss-unsubscribe AT lists.opennicproject.org
>  --
> Rouben
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing 
> discuss-unsubscribe AT lists.opennicproject.org

--
Low-Cost No-Risk Pilots for Transitioning to Industry 4.0 - a Linux User 
Group for the Manufacturing Sector