1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- SSL allows client software to authenticate web services and establish encrypted
- connections with them over the network. Each service holds private key which it
- uses to prove its identity, and a public certiticate client software uses to
- verify the service.
- Most of the time client software actually trusts Certificate Authorities (CAs),
- which can sign many different certificates. Then, trusting the CA enables trust
- of all certificates signed by it. Of course this raises the question "how many
- people can one person possibly trust", and indeed the number is small (because
- there's a limit to the number of people we can maintain friendships with...
- there are just 24 hours a day). CAs are usually large, and don't really trust
- all their users in the regular social meaning of trust.
- Partager solves the problem by allowing trust to be established through PGP
- signatures, which is a decentralized mechanism, and provides its own independent
- CA which doesn't trust or expect to be trusted any of those large
- corporate-managed CAs which could potentially sign any certificate if paid
- enough (even if some of them don't, how would you know who's honest and who
- isn't? This is exactly the problem with large CAs).
- The Monkeysphere support enabling use of PGP signatures __is not complete yet__,
- but you if you haven't told your computer to trust Partager's CA, you can follow
- the [[certificate usage guide|projects/systems/servers/security/certificates]].
- Then, you can e.g. browse this website securely by using an HTTPS prefix in the
- address instead of HTTP.
- If you would like to have your certificate signed by Partager's CA in order to
- avoid duplication of effort, that's fine - but note that Partager is a community
- CA, i.e. trust is based on actual trust between friends. So either we already
- know each other, or we will need to. Once there is real-life trust, there can
- also be digital trust. If you ask me, this is how it's supposed to work.
- If you don't know me and cannot, e.g. because you live in the other side of the
- world, that's fine - I intend my "community CA" approach to be applied to
- individual homes and small communities. You can easily create your own CA just
- like Partager has done, by following the
- [[SSL admin guide|projects/systems/admin-guides/SSL]]. There's even a user guide
- you can use to understand the client side, and Partager's certificate usage
- guide mentioned above can be used as a template to create your own - just
- replace "partager" with the name of your CA :-)
- Some files you may expect:
- - CA certificate: [[rel4tion-ca.crt]]
- - PGP signature of the certificate: [[rel4tion-ca.crt.sig]]
- - Revocation lists: <http://cert.rel4tion.org/crl/>
|