From 0e08808ad15e60017f9124c4e9d51ba9c61a97ba Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Tue, 21 Sep 2021 11:54:40 +0200 Subject: [PATCH] Add news entry for 1pa3pc. --- dist/templates/about/news.html.hbs | 35 ++++++++++++++++++++++ dist/templates/atom.xml.hbs | 6 ++++ dist/templates/index.html.hbs | 2 +- po/hagrid/de.po | 13 +++++--- po/hagrid/en.po | 4 +-- po/hagrid/hagrid.pot | 2 +- po/hagrid/ja.po | 4 +-- src/gettext_strings.rs | 2 +- templates-untranslated/about/news.html.hbs | 35 ++++++++++++++++++++++ 9 files changed, 92 insertions(+), 11 deletions(-) diff --git a/dist/templates/about/news.html.hbs b/dist/templates/about/news.html.hbs index 0283926..40daa2f 100644 --- a/dist/templates/about/news.html.hbs +++ b/dist/templates/about/news.html.hbs @@ -2,6 +2,41 @@

About | News | Usage | FAQ | Stats | Privacy

+

+
2021-09-20 ๐Ÿ“…
+ Support for third-party certification signatures +

+ +

+ To address the certificate-flooding attacks, Hagrid used to strip third-party certifications from certificates. + Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications. + +

+ Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate. + In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed. + +

+ dkg devised such a mechanism — nicknamed 1pa3pc for first-party attested third-party certifications — and refined it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group. + Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications. + +

+ To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications. + You can see an example of such a certificate with a certification here. + +

+ This attestation has been created using Sequoia's low-level key management functions: + + 

+$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp
+$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp
+
+ + By uploading mycert.attested.pgp to keys.openpgp.org, the certificate holder agrees to the attested certifications being published. + Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them. + +

+ Looking forward to transparent support in clients and a comeback of strong certification-based authentication models ๐Ÿ™Œ +

2019-11-12 ๐Ÿ“…
Celebrating 100.000 verified addresses! ๐Ÿ“ˆ diff --git a/dist/templates/atom.xml.hbs b/dist/templates/atom.xml.hbs index 7229898..4c137b2 100644 --- a/dist/templates/atom.xml.hbs +++ b/dist/templates/atom.xml.hbs @@ -4,6 +4,12 @@ urn:uuid:8e783366-73b1-460e-83d3-42f01046646d 2019-11-12T12:00:00Z + + Support for third-party certification signatures + + 2021-09-21T12:00:00Z + urn:uuid:aca50bf2-5310-4d6a-8ee1-d361be7ce201 + Celebrating 100.000 verified addresses! ๐Ÿ“ˆ diff --git a/dist/templates/index.html.hbs b/dist/templates/index.html.hbs index 65af7c2..553580b 100644 --- a/dist/templates/index.html.hbs +++ b/dist/templates/index.html.hbs @@ -25,7 +25,7 @@

- {{ text "News:" }} {{ text "Celebrating 100.000 verified addresses! ๐Ÿ“ˆ (2019-11-12)" }} + {{ text "News:" }} {{ text "Support for third-party certification signatures (2021-09-21)" }}

{{/with}} {{/layout}} diff --git a/po/hagrid/de.po b/po/hagrid/de.po index 5aa600d..8efaed3 100644 --- a/po/hagrid/de.po +++ b/po/hagrid/de.po @@ -107,11 +107,9 @@ msgstr "News:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐Ÿ“ˆ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" -"Wir feiern 100.000 " -"รผberprรผfte Adressen! ๐Ÿ“ˆ (2019-11-12)" #: src/gettext_strings.rs:17 msgid "v{{ version }} built from" @@ -481,3 +479,10 @@ msgstr "Zeitlimit beim Hochladen abgelaufen. Bitte versuch es erneut." #: src/web/vks.rs:284 msgid "Invalid verification link." msgstr "Ungรผltiger Bestรคtigungs-Link." + +#~ msgid "" +#~ "Celebrating 100.000 " +#~ "verified addresses! ๐Ÿ“ˆ (2019-11-12)" +#~ msgstr "" +#~ "Wir feiern 100.000 " +#~ "รผberprรผfte Adressen! ๐Ÿ“ˆ (2019-11-12)" diff --git a/po/hagrid/en.po b/po/hagrid/en.po index 0e17e97..e3f8e3b 100644 --- a/po/hagrid/en.po +++ b/po/hagrid/en.po @@ -103,8 +103,8 @@ msgstr "News:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐Ÿ“ˆ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/po/hagrid/hagrid.pot b/po/hagrid/hagrid.pot index 116ce4a..4f69fbb 100644 --- a/po/hagrid/hagrid.pot +++ b/po/hagrid/hagrid.pot @@ -91,7 +91,7 @@ msgid "News:" msgstr "" #: src/gettext_strings.rs:16 -msgid "Celebrating 100.000 verified addresses! ๐Ÿ“ˆ (2019-11-12)" +msgid "Support for third-party certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/po/hagrid/ja.po b/po/hagrid/ja.po index ef549aa..c9c5643 100644 --- a/po/hagrid/ja.po +++ b/po/hagrid/ja.po @@ -107,8 +107,8 @@ msgstr "ใƒ‹ใƒฅใƒผใ‚น:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐Ÿ“ˆ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/src/gettext_strings.rs b/src/gettext_strings.rs index 8e36a4e..c18e1ae 100644 --- a/src/gettext_strings.rs +++ b/src/gettext_strings.rs @@ -13,7 +13,7 @@ fn _dummy() { t!("You can also upload or manage your key."); t!("Find out more about this service."); t!("News:"); - t!("Celebrating 100.000 verified addresses! ๐Ÿ“ˆ (2019-11-12)"); + t!("Support for third-party certification signatures (2021-09-21)"); t!("v{{ version }} built from"); t!("Powered by Sequoia-PGP"); t!("Background image retrieved from Subtle Patterns under CC BY-SA 3.0"); diff --git a/templates-untranslated/about/news.html.hbs b/templates-untranslated/about/news.html.hbs index 161d228..b3e10ef 100644 --- a/templates-untranslated/about/news.html.hbs +++ b/templates-untranslated/about/news.html.hbs @@ -1,6 +1,41 @@

About | News | Usage | FAQ | Stats | Privacy

+

+
2021-09-20 ๐Ÿ“…
+ Support for third-party certification signatures +

+ +

+ To address the certificate-flooding attacks, Hagrid used to strip third-party certifications from certificates. + Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications. + +

+ Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate. + In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed. + +

+ dkg devised such a mechanism — nicknamed 1pa3pc for first-party attested third-party certifications — and refined it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group. + Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications. + +

+ To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications. + You can see an example of such a certificate with a certification here. + +

+ This attestation has been created using Sequoia's low-level key management functions: + + 

+$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp
+$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp
+
+ + By uploading mycert.attested.pgp to keys.openpgp.org, the certificate holder agrees to the attested certifications being published. + Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them. + +

+ Looking forward to transparent support in clients and a comeback of strong certification-based authentication models ๐Ÿ™Œ +

2019-11-12 ๐Ÿ“…
Celebrating 100.000 verified addresses! ๐Ÿ“ˆ