[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Encrypted Web Pages?



On Mon, Dec 17, 2007 at 08:52:30AM -0800, Martin Fick wrote:

:> I may be missing something about the 
:> implications of HTTPS, but you could 
:> certainly key pgp public keys to x.509
:> identities if you wanted to keep static 
:> data gpg encrypted on the server.
:
:I'm not sure that I understand this 
:suggestion, could you be more explicit?
:Are you suggesting simply limiting access
:to the data by certificate (i.e server 
:side limiting?)  That would not satisfy
:my trust model, the server should be
:assumed to be untrusted.

So knowing a bit more about your requirements I'll clarify my think on
this point as it's most relevant (though doesn't address transparency
to the user).

You use X.509 personal certificates to authenticate the user, this is
relatively straight forward and standard.  

Once you have established identity with X.509 you tie that identity to
a gpg||pgp public key.  Presuambly you would establish this initial
mapping at account creation, where you could generate the client
cretificate and request the user upload their public key.  Now
whenever you see that certificate you know which key to use for
encryption, decryption stays on the user end.  Your app should
probably check keyserver for key revocations so it doesn't lead data
to a compromised key.

-Jon