discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Erich Eckner <opennic AT eckner.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] broken https on reg.libre
- Date: Sat, 23 May 2020 15:09:38 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
On Fri, 22 May 2020, Rouben wrote:
You could do a split PGP/GPG key approach, where two people with their own
individual Yubikeys (or similar device) need to sign the intermediate, but
we would need to figure out how to convert these signed certs into X.509
after the fact. I’m not sure if this is even possible, as PGP/GPG has *some*
X.509 capabilities, I just don’t know if it supports all the extensions
necessary for a CA intermediate.
I think, this will not work: An X.509 certificate is *one* signature (of the other key and metadata), while the PGP/GPG scenario, you describe, sounds like GPGs web of trust - which relies on *multiple* signatures (of the other key) to verify that key. These two concepts are not interchangable.
However, the math *should* be possible: Theoretically, one could create a combined signature in a Diffie-Hellman-like procedure. The only thing, I don't see, is how one would create the respective private keys, because they are not independent of each other and the (combined) public key.
That being said: I'm not a gpg nor openssl guru either ;-)
Any OpenSSL/GPG/PGP gurus on here that know of a similar mechanism (split
private key)?
I have been pondering this a little more and came to the conclusion, that it might really be better to have multiple such keys. This would additionally secure against the case, that one of them goes rogue/gets compromised.
Also it might be worth considering to have multiple Intermediates (parallel, not serial), so the acme-signing can be trivially distributed over multiple persons/hosts. But this is rather simple to implement, as we would only need to sign all those intermediates (regularly) by the root ca(s).
btw: How would such a per-design-centralized infrastructure (not your fault, Rouben, but rather X.509's fault) cooperate with the democratic and decentralized nature of opennic?
Rouben
regards, Erich
P.S.: I'm currently fighting to compile step-cli and step-ca on arm to try it out for my personal PKI on my raspberry (so far I was using an ugly, hand-crafted, ssh-based, not-scalable, self-written automatic pki).
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7JIJMACgkQCu7JB1Xa
e1oGChAAvk5TKkGouJEOPtI6WG9M1Pw9MQrPIB46bjSUmumiWexa7wCHvjK7Va54
xfGHryshs44OmVcLM6WhD5+XUQgIOt4uyA6Smdw6ZruGhHHMzXBAOqgq3vT6UBXf
CWHSmU+POgc82TsEqGb0YwixxAO7GOFujtK7q5QVcrk1ZhzUj6VqGHCBjVYRnxe7
CxLyQ8F/hapzuLyrTNABpHVR++8mKDSOgNk+u8ikep3zybx5SebJEHUE7EQnSKpR
UK0anMp/l5jRdiTshgZvImZ/29CinwYl7gjegQtNNkuz750IJpcAI+QXupIFNT8d
6mNT+9j6nLYKpcpMNmL/Gz0HhwRnp5iLEypkWL0iUBW/W3KKsbVzahKGnaqTsz5k
4BfecHAA0BGoD1pTzlUs6t1z6F/jWp0j3DL9eiBSOQbisye45SrlMESG78nJcKDp
TWDJwCUDRyR2QPqiqrL9HZ1GeDPOw3oMAKu6zy5OPG5U63Mw7ObvxiP25RW9R4TZ
TmdGyHLnGy+e1MFlktU9KPgl6Sdsg88kT8gS5JPBtRrm5eFnpCmMI1dU+oigrCY9
uwT9i39ndUHuRqnXSX5YKJjTNM/8hREhQwT1Jt8iA4yeBEcKMCU1tnhetp5+anwe
rud8N8HTz0TzsF3Vh/0MhuYuPiH92VT7KCd2E2yi3oHOPJ9h/qs=
=z9+P
-----END PGP SIGNATURE-----
-
[opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
- Re: [opennic-discuss] broken https on reg.libre, Rouben, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/23/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/24/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, postmaster, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Amunak, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/26/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/27/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/27/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/28/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/24/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Erich Eckner, 05/22/2020
-
Re: [opennic-discuss] broken https on reg.libre,
Rouben, 05/22/2020
Archive powered by MHonArc 2.6.19.