Another step towards crowdfunding

Micah Lee micah at micahflee.com
Wed Dec 18 02:45:43 CET 2013


On 12/17/2013 04:10 PM, Doug Barton wrote:
> I have no connection to StartSSL other than "satisfied non-paying
> 'customer'" but they do the trick, and the price is right. There are
> other free options as well, as was pointed out here recently. It doesn't
> matter to me which one y'all choose, but please, choose one and let's
> move on.

Another argument for doing this.

The centralized public key infrastructure is badly flawed, but if you do
have a cert that's signed by a CA that Firefox and Chromium trust you
get added to the HSTS preload lists for those browsers.

Here's a bit about what HSTS is:

https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security

Chromium (and by extension Chrome) ships with a list of websites that
are preloaded with HSTS. Here info about getting in the Chromium list:

http://www.chromium.org/sts (specifically, email Adam Langley at
agl at chromium.org).

Here's Firefox's feature definition for it's HSTS preload list:

https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List

I don't know what the policy is to get on their list, but Firefox
currently ships with it:

https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc

So my guess is just open a bug asking for gnupg.org to get added.

As far as I know these preload lists only force HTTPS for these domains.
I wonder if anyone could convince the browser vendors to also do
certificate pinning, bypassing PKI based on CAs altogether?

-- 
Micah Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131217/553c00f5/attachment.sig>


More information about the Gnupg-users mailing list