Another step towards crowdfunding
Micah Lee
micah at micahflee.com
Wed Dec 18 02:45:43 CET 2013
On 12/17/2013 04:10 PM, Doug Barton wrote:
> I have no connection to StartSSL other than "satisfied non-paying
> 'customer'" but they do the trick, and the price is right. There are
> other free options as well, as was pointed out here recently. It doesn't
> matter to me which one y'all choose, but please, choose one and let's
> move on.
Another argument for doing this.
The centralized public key infrastructure is badly flawed, but if you do
have a cert that's signed by a CA that Firefox and Chromium trust you
get added to the HSTS preload lists for those browsers.
Here's a bit about what HSTS is:
https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
Chromium (and by extension Chrome) ships with a list of websites that
are preloaded with HSTS. Here info about getting in the Chromium list:
http://www.chromium.org/sts (specifically, email Adam Langley at
agl at chromium.org).
Here's Firefox's feature definition for it's HSTS preload list:
https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
I don't know what the policy is to get on their list, but Firefox
currently ships with it:
https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc
So my guess is just open a bug asking for gnupg.org to get added.
As far as I know these preload lists only force HTTPS for these domains.
I wonder if anyone could convince the browser vendors to also do
certificate pinning, bypassing PKI based on CAs altogether?
--
Micah Lee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131217/553c00f5/attachment.sig>
More information about the Gnupg-users
mailing list