fr33domlover
/
Rel4tion-Wiki
mirror of git://seek-together.space/wiki.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
							The instructions below are written for the Rel4tion server. For more general
purpose instructions for CAs, see [[SSL]].

# Intro

Rel4tion manages its own SSL certificates. Since they aren't signed by a
centralized [[!wikipedia "Certificate Authority"]] (CA), your client
applications (web browser, Jabber client, etc.) won't trust them unless you
explicity mark them as trusted. Many applications will simply ask you whether
you wish to trust the certificate. **This is probably the safest approach**.

In addition to this, Rel4tion manages its own CA. Trusting the CA means your
computer automatically trusts any certificate signed by it. However, since this
CA is made by [[fr33domlover]], who just runs a small home server and isn't a
security expert, **you should understand the implications before you install
it. If you don't much about SSL and CAs, you probably shouldn't do that. Just
follow to the next section below.**

# (1) Trusting Specific Certificates

This is the best path for using Rel4tion's server with SSL/TLS. Here are the
options:

1. Tell your browser (or Jabber client etc.) to trust the specific
   certificate (not the whole CA)
2. Tell the browser/client to not verify the certificate. This is like the first
   option, but allows **fake certificates to work without being detected**,
   which is BAD. So the **previous** option is probably better.
3. Use plain HTTP. For web browsing, it's probably reasonable. For Jabber,
   Bitlbee, Mumble, etc. you'll probably prefer one of the other options.

# (2) Trusting the CA

If you took the first path in the previous section (trusting specific
certificates), please ignore this section.

**If you understand the implications**, this is an option too. Anyway, read
[[here|http://www.inventati.org/en/ssl.html]] before you start. Specifically,
this quote from that page is important:

> As we said before, you put your trust in the hands of the CA when accepting
> that the connection to a site is secure. We decided it would be illogical to
> put the trust relationship between our users and us in the hands of
> profit-oriented corporations. Corporations that are also keen to collaborate
> with governments and intelligence agencies. For example, your government
> could get a commercial CA to collaborate, and hand over a signed certificate
> for our domains. Then the government will be able to set up a proxy between
> you and us, letting your browser believe that the connection is secure, while
> being able to decypher and intercept all your traffic. As recent news have
> proved, we made the right decision not to trust corporations to stand up to
> government wiretapping requests.

So why does Rel4tion have a CA?

1. The text above
2. It's a workaround until the centralized broken CA system is replaced by a
   web-of-trust based protocol, such as [[!wikipedia Monkeysphere]].
3. It's an alternative to Monkeysphere, which isn't widely used yet.
4. Fighting for decentralization and freedom. Centralized commercial CAs want
   your personal information and trust you if you pay them. They trust even
   websites like g00gle known to spy and abuse. An independent CA only trusts
   friends etc., which is the way trust generally works between people.

**WARNING**: If your computer trusts Rel4tion's CA, it means that the people
who have access to the CA's private key ([[fr33domlover]], unless someone
manages to make a copy of it) can authorize any certificate they like, and your
computer will automatically trust them. This is true for *any* CA, but some CAs
are approved by GNU/Linux distributions and web browsers, while Rel4tion's CA
hasn't been tested by any "authority". So *make sure you understand the risk*
before proceeding.

The following instructions are for the Debian-based distributions. Information
about other (fully free) distributions, such as Parabola, is welcome.

## Download

If you still want to install the CA, here's how.

Get the CA certificate and the signature from the website. You ca do it on the
command like like this:

	$ wget --no-verbose http://rel4tion.org/rel4tion-ca.crt
	2014-07-14 10:07:13 URL:http://rel4tion.org/rel4tion-ca.crt
	[2667/2667] -> "rel4tion-ca.crt" [1]
	
	$ wget --no-verbose http://rel4tion.org/rel4tion-ca.crt.sig
	2014-07-14 10:07:13 URL:http://rel4tion.org/rel4tion-ca.crt.sig
	[287/287] -> "rel4tion-ca.crt.sig" [1]

## Verify

If you happen to trust [[fr33domlover]]'s GPG key, you just need to verify the
signature. GnuPG will inform you it is trusted (unless it isn't):

	$ gpg --verify rel4tion-ca.crt.sig rel4tion-ca.crt
	gpg: Signature made IST 20:54:50 2014 Nov 26 Wed using RSA key ID 63E5E57D
	gpg: Good signature from "fr33domlover <fr33domlover@rel4tion.org>"
	gpg:                 aka "fr33domlover <fr33domlover@riseup.net>"
	gpg:                 aka "fr33domlover <fr33domlover@inventati.org>"

Notice the **Good signature** line. That is what tells you whether you
GPG-trust the key.

If you don't GPG-trust the key, make sure it's the right key by comparing its
fingerprint. You'll know if the signature isn't trusted because GnuPG displays
a warning:

	gpg: WARNING: This key is not certified with a trusted signature!
	gpg:          There is no indication that the signature belongs to the
	              owner.

In this case, make sure the key fingerprint is:

	6FEE C222 7323 EF85 A49D  5487 5252 C5C8 63E5 E57D

In order to get the fingerprint of the key which made the signature you
downloaded (so that you can compare to the one above), look at the "key ID" is
the output you got from `gpg --verify`. It should be the same as in the example
above. If not, **don't** proceed to the installation and contact me. If it's
the same, get the fingerprint like this:

	gpg --recv-keys 63E5E57D
	gpg --fingerprint 63E5E57D

Make sure the output matches the long fingerprint line above.

If everything went well, you can delete the *.sig* file. The next step is to
install the *.crt* file.

## Install

Debian-based distributions, such as Trisquel, have a system list of trusted
certificates, and you can add more manually. In order to add **Rel4tion**'s CA
certificate do the following:

	$ su
	# cp /home/joe/rel4tion-ca.crt /usr/local/share/ca-certificates
	# update-ca-certificates

You will see output like this:

	Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
	Running hooks in /etc/ca-certificates/update.d....
	Adding debian:rel4tion-ca.pem
	done.

The permissions look like this:

	# ls -l /usr/local/share/ca-certificates
	-rw-r--r-- 1 root staff 2667 Jul 14 11:43 rel4tion-ca.crt

## Specific Applications

Some programs don't integrate well with the system, and maintain their own
separate list of trusted CAs. For example, GNU IceCat and other Firefox
derivatives are like this. If you use them, you'll need to go to their Options
and add the certificate there.