Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>

[[ 🗃 ^yEzqv rel4tion-wiki ]] :: [📥 Inbox] [📤 Outbox] [🐤 Followers] [🤝 Collaborators] [🛠 Commits]

Clone

HTTPS: git clone https://vervis.peers.community/repos/yEzqv

SSH: git clone USERNAME@vervis.peers.community:yEzqv

Branches

Tags

master :: maint / admin / ca / tinyca / Introduction /

Have_Control.mdwn

SSL’s trust model is quite centralized in practice, which some people consider a weakness or a result of bad design. Although anyone can become a Certificate Authority, your web browser trusts only a specific predefined group of CAs, and they’re managed by large companies which:

  1. Require you to pay for most of their services (sometimes you can get free but limited service)
  2. Require a lot of personal information about you

Maybe the worst thing is the fact that trust is established without actually knowing each other, i.e. the fact some website is trusted by the web browser doesn’t mean you can trust it. For example, the websites of Google and Facebook use signed certificates which your web browser probably trusts automatically, without asking you. At the same time, they both collect private user data, apply censorship, report to the NSA, use your pictures to create advertisiments and so on. Do they sound like people/services you can trust as a user? Probably not.

The good news: You can add new certificates to the web browser! Therefore, as a client, you can decide whom you trust and whom you don’t. It’s not something many people do, and the interface may sometimes not be the most friendly, but it’s important to have it.

You may guess managing certificates manually is difficult and cumbersome, even with a GUI (like what Iceweasel and Evolution offer, for example). It’s true, there are many many websites on the internet, made by many different people, and managing all the certificates manually is impossible. Instead, you can tell your browser to determine who is trusted, using [[!wikipedia PGP]].

PGP allows you to use trust signatures in a transitive manner. In simple words, while you still mark websites you trust, you can also choose to trust people you know (e.g. your friends) and your browser will automatically trust the website they trust as well, making the work of marking trusted websites collaborative and much faster. If you have a community of people trusting each other in the PGP sense, using PGP for web service authentication not becomes much easier - and you don’t need to rely on some potentially-greedy large companies to tell you who’s okay and who isn’t!

Therefore, as a client you have two tools to help you use the web securely:

  1. Add CA certificates manually
  2. Use PGP

The PGP integration is relatively new, and is implemented by a free software project called Monkeysphere.

As a service provider, you can help promote the transition to a decentralized system by avoiding the centralized and commercial CAs and using your own CA instead, and by getting Monkeysphere support. This guide explains how to enable Monkeysphere for your SSL certificates.

[See repo JSON]