diff options
author | Matt Goins <mjgoins@openflows.com> | 2009-01-31 12:02:54 -0500 |
---|---|---|
committer | Matt Goins <mjgoins@openflows.com> | 2009-01-31 12:02:54 -0500 |
commit | 88db45249b8d92d2c7c7d66101410c1db01e77c1 (patch) | |
tree | 48a558a3d112106005f88314a184c57336ef4bb7 /website/vision.mdwn | |
parent | 499aa3840041d9ddd5c680adce059260059aabf9 (diff) | |
parent | 3ebaf05d01b7d4639980608feefeef7287000634 (diff) |
Merge commit 'jrollins/master'
Diffstat (limited to 'website/vision.mdwn')
-rw-r--r-- | website/vision.mdwn | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/website/vision.mdwn b/website/vision.mdwn new file mode 100644 index 0000000..281bc72 --- /dev/null +++ b/website/vision.mdwn @@ -0,0 +1,31 @@ +[[meta title="Our vision for the future of the monkeysphere"]] + +## External Validation Agent ## + +This is probably at the crux of the Monkeysphere vision for the future: + +* [Simon Josefsson proposed out-of-process certificate verification model in gnutls-devel](http://news.gmane.org/find-root.php?group=gmane.comp.encryption.gpg.gnutls.devel&article=3231) +* [Werner Koch's dirmngr](http://www.gnupg.org/documentation/manuals/dirmngr/) +* [GnuTLS wiki external validation](http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation) +* [Pathfinder PKI validation](http://code.google.com/p/pathfinder-pki/) (includes validation plugins for OpenSSL and LibNSS). + +## TLS transition strategies ## + +While [RFC 5081](http://tools.ietf.org/html/rfc5081) is quite a while +off from widespread adoption, it would be good to have an interim +translation step. This is analogous to the SSH work we've done, where +the on-the-wire protocol remains the same, but the keys themselves are +looked up in the OpenPGP WoT. + +Firefox extensions that deal with certificate validation seem to be +the easiest path toward demonstrating this technique. We should look +at: + +* [SSL Blacklist](http://codefromthe70s.org/sslblacklist.aspx) +* [Perspectives](http://www.cs.cmu.edu/~perspectives/firefox.html) +* there is another firefox extension that basically disables all TLS certificate checking. The download page says things like "this is a bad idea" and "do not install this extension", but i'm unable to find it at the moment. + +## Related discussions ## + +* [Wandering Thoughts blog discussion about Web of Trust flaws](http://utcc.utoronto.ca/~cks/space/blog/tech/WebOfTrustFlaws?showcomments) +* [Wandering Thoughts blog discussion about certificate authorities](http://utcc.utoronto.ca/~cks/space/blog/web/SSLCANeed?showcomments) |