123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 |
- The instructions below are written for the Rel4tion server. For more general
- purpose instructions for CAs, see [[SSL]].
- # Intro
- Rel4tion manages its own SSL certificates. Since they aren't signed by a
- centralized [[!wikipedia "Certificate Authority"]] (CA), your client
- applications (web browser, Jabber client, etc.) won't trust them unless you
- explicity mark them as trusted. Many applications will simply ask you whether
- you wish to trust the certificate. **This is probably the safest approach**.
- In addition to this, Rel4tion manages its own CA. Trusting the CA means your
- computer automatically trusts any certificate signed by it. However, since this
- CA is made by [[fr33domlover]], who just runs a small home server and isn't a
- security expert, **you should understand the implications before you install
- it. If you don't much about SSL and CAs, you probably shouldn't do that. Just
- follow to the next section below.**
- # (1) Trusting Specific Certificates
- This is the best path for using Rel4tion's server with SSL/TLS. Here are the
- options:
- 1. Tell your browser (or Jabber client etc.) to trust the specific
- certificate (not the whole CA)
- 2. Tell the browser/client to not verify the certificate. This is like the first
- option, but allows **fake certificates to work without being detected**,
- which is BAD. So the **previous** option is probably better.
- 3. Use plain HTTP. For web browsing, it's probably reasonable. For Jabber,
- Bitlbee, Mumble, etc. you'll probably prefer one of the other options.
- # (2) Trusting the CA
- If you took the first path in the previous section (trusting specific
- certificates), please ignore this section.
- **If you understand the implications**, this is an option too. Anyway, read
- [[here|http://www.inventati.org/en/ssl.html]] before you start. Specifically,
- this quote from that page is important:
- > As we said before, you put your trust in the hands of the CA when accepting
- > that the connection to a site is secure. We decided it would be illogical to
- > put the trust relationship between our users and us in the hands of
- > profit-oriented corporations. Corporations that are also keen to collaborate
- > with governments and intelligence agencies. For example, your government
- > could get a commercial CA to collaborate, and hand over a signed certificate
- > for our domains. Then the government will be able to set up a proxy between
- > you and us, letting your browser believe that the connection is secure, while
- > being able to decypher and intercept all your traffic. As recent news have
- > proved, we made the right decision not to trust corporations to stand up to
- > government wiretapping requests.
- So why does Rel4tion have a CA?
- 1. The text above
- 2. It's a workaround until the centralized broken CA system is replaced by a
- web-of-trust based protocol, such as [[!wikipedia Monkeysphere]].
- 3. It's an alternative to Monkeysphere, which isn't widely used yet.
- 4. Fighting for decentralization and freedom. Centralized commercial CAs want
- your personal information and trust you if you pay them. They trust even
- websites like g00gle known to spy and abuse. An independent CA only trusts
- friends etc., which is the way trust generally works between people.
- **WARNING**: If your computer trusts Rel4tion's CA, it means that the people
- who have access to the CA's private key ([[fr33domlover]], unless someone
- manages to make a copy of it) can authorize any certificate they like, and your
- computer will automatically trust them. This is true for *any* CA, but some CAs
- are approved by GNU/Linux distributions and web browsers, while Rel4tion's CA
- hasn't been tested by any "authority". So *make sure you understand the risk*
- before proceeding.
- The following instructions are for the Debian-based distributions. Information
- about other (fully free) distributions, such as Parabola, is welcome.
- ## Download
- If you still want to install the CA, here's how.
- Get the CA certificate and the signature from the website. You ca do it on the
- command like like this:
- $ wget --no-verbose http://rel4tion.org/rel4tion-ca.crt
- 2014-07-14 10:07:13 URL:http://rel4tion.org/rel4tion-ca.crt
- [2667/2667] -> "rel4tion-ca.crt" [1]
-
- $ wget --no-verbose http://rel4tion.org/rel4tion-ca.crt.sig
- 2014-07-14 10:07:13 URL:http://rel4tion.org/rel4tion-ca.crt.sig
- [287/287] -> "rel4tion-ca.crt.sig" [1]
- ## Verify
- If you happen to trust [[fr33domlover]]'s GPG key, you just need to verify the
- signature. GnuPG will inform you it is trusted (unless it isn't):
- $ gpg --verify rel4tion-ca.crt.sig rel4tion-ca.crt
- gpg: Signature made IST 20:54:50 2014 Nov 26 Wed using RSA key ID 63E5E57D
- gpg: Good signature from "fr33domlover <fr33domlover@rel4tion.org>"
- gpg: aka "fr33domlover <fr33domlover@riseup.net>"
- gpg: aka "fr33domlover <fr33domlover@inventati.org>"
- Notice the **Good signature** line. That is what tells you whether you
- GPG-trust the key.
- If you don't GPG-trust the key, make sure it's the right key by comparing its
- fingerprint. You'll know if the signature isn't trusted because GnuPG displays
- a warning:
- gpg: WARNING: This key is not certified with a trusted signature!
- gpg: There is no indication that the signature belongs to the
- owner.
- In this case, make sure the key fingerprint is:
- 6FEE C222 7323 EF85 A49D 5487 5252 C5C8 63E5 E57D
- In order to get the fingerprint of the key which made the signature you
- downloaded (so that you can compare to the one above), look at the "key ID" is
- the output you got from `gpg --verify`. It should be the same as in the example
- above. If not, **don't** proceed to the installation and contact me. If it's
- the same, get the fingerprint like this:
- gpg --recv-keys 63E5E57D
- gpg --fingerprint 63E5E57D
- Make sure the output matches the long fingerprint line above.
- If everything went well, you can delete the *.sig* file. The next step is to
- install the *.crt* file.
- ## Install
- Debian-based distributions, such as Trisquel, have a system list of trusted
- certificates, and you can add more manually. In order to add **Rel4tion**'s CA
- certificate do the following:
- $ su
- # cp /home/joe/rel4tion-ca.crt /usr/local/share/ca-certificates
- # update-ca-certificates
- You will see output like this:
- Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
- Running hooks in /etc/ca-certificates/update.d....
- Adding debian:rel4tion-ca.pem
- done.
- The permissions look like this:
- # ls -l /usr/local/share/ca-certificates
- -rw-r--r-- 1 root staff 2667 Jul 14 11:43 rel4tion-ca.crt
- ## Specific Applications
- Some programs don't integrate well with the system, and maintain their own
- separate list of trusted CAs. For example, GNU IceCat and other Firefox
- derivatives are like this. If you use them, you'll need to go to their Options
- and add the certificate there.
|