Add news entry for 1pa3pc.
This commit is contained in:
parent
90356ddb28
commit
0e08808ad1
|
@ -2,6 +2,41 @@
|
|||
<div class="about">
|
||||
<center><h2><a href="/about">About</a> | News | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>
|
||||
|
||||
<h2 id="2021-09-20-1pa3pc">
|
||||
<div style="float: right; font-size: small; line-height: 2em;">2021-09-20 📅</div>
|
||||
<a style="color: black;" href="/about/news#2021-09-20-1pa3pc">Support for third-party certification signatures</a>
|
||||
</h2>
|
||||
|
||||
<p>
|
||||
To address the <a href="https://lwn.net/Articles/792366/">certificate-flooding attacks</a>, Hagrid used to strip third-party certifications from certificates.
|
||||
Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications.
|
||||
|
||||
<p>
|
||||
Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate.
|
||||
In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed.
|
||||
|
||||
<p>
|
||||
dkg devised such a mechanism — nicknamed <a href="https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/-/blob/master/draft-dkg-openpgp-abuse-resistant-keystore.md#first-party-attested-third-party-certifications-fpatpc">1pa3pc</a> for first-party attested third-party certifications — and <a href="https://gitlab.com/openpgp-wg/rfc4880bis/-/blob/main/rfc4880bis.md#attested-certifications-attested-certifications">refined</a> it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group.
|
||||
Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications.
|
||||
|
||||
<p>
|
||||
To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications.
|
||||
You can see an example of such a certificate with a certification <a href="https://keys.openpgp.org/search?q=noemi-melissa%40probier.email">here</a>.
|
||||
|
||||
<p>
|
||||
This attestation has been created using Sequoia's low-level key management functions:
|
||||
|
||||
<pre>
|
||||
$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp
|
||||
$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp
|
||||
</pre>
|
||||
|
||||
By uploading <tt>mycert.attested.pgp</tt> to keys.openpgp.org, the certificate holder agrees to the attested certifications being published.
|
||||
Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them.
|
||||
|
||||
<p>
|
||||
Looking forward to transparent support in clients and a comeback of strong certification-based authentication models 🙌
|
||||
|
||||
<h2 id="2019-11-12-celebrating-100k">
|
||||
<div style="float: right; font-size: small; line-height: 2em;">2019-11-12 📅</div>
|
||||
<a style="color: black;" href="/about/news#2019-11-12-celebrating-100k">Celebrating 100.000 verified addresses! 📈</a>
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
<link href="{{ base_uri }}/atom.xml" rel="self"/>
|
||||
<id>urn:uuid:8e783366-73b1-460e-83d3-42f01046646d</id>
|
||||
<updated>2019-11-12T12:00:00Z</updated>
|
||||
<entry>
|
||||
<title>Support for third-party certification signatures</title>
|
||||
<link href="{{ base_uri }}/about/news#2021-09-20-1pa3pc" />
|
||||
<updated>2021-09-21T12:00:00Z</updated>
|
||||
<id>urn:uuid:aca50bf2-5310-4d6a-8ee1-d361be7ce201</id>
|
||||
</entry>
|
||||
<entry>
|
||||
<title>Celebrating 100.000 verified addresses! 📈</title>
|
||||
<link href="{{ base_uri }}/about/news#2019-11-12-celebrating-100k" />
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
<hr />
|
||||
|
||||
<p>
|
||||
<strong>{{ text "News:" }}</strong> {{ text "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)" }}
|
||||
<strong>{{ text "News:" }}</strong> {{ text "<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)" }}
|
||||
</p>
|
||||
{{/with}}
|
||||
{{/layout}}
|
||||
|
|
|
@ -107,11 +107,9 @@ msgstr "News:"
|
|||
|
||||
#: src/gettext_strings.rs:16
|
||||
msgid ""
|
||||
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
|
||||
"verified addresses! 📈</a> (2019-11-12)"
|
||||
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
|
||||
"certification signatures</a> (2021-09-21)"
|
||||
msgstr ""
|
||||
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Wir feiern 100.000 "
|
||||
"überprüfte Adressen! 📈</a> (2019-11-12)"
|
||||
|
||||
#: src/gettext_strings.rs:17
|
||||
msgid "v{{ version }} built from"
|
||||
|
@ -481,3 +479,10 @@ msgstr "Zeitlimit beim Hochladen abgelaufen. Bitte versuch es erneut."
|
|||
#: src/web/vks.rs:284
|
||||
msgid "Invalid verification link."
|
||||
msgstr "Ungültiger Bestätigungs-Link."
|
||||
|
||||
#~ msgid ""
|
||||
#~ "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
|
||||
#~ "verified addresses! 📈</a> (2019-11-12)"
|
||||
#~ msgstr ""
|
||||
#~ "<a href=\"/about/news#2019-11-12-celebrating-100k\">Wir feiern 100.000 "
|
||||
#~ "überprüfte Adressen! 📈</a> (2019-11-12)"
|
||||
|
|
|
@ -103,8 +103,8 @@ msgstr "News:"
|
|||
|
||||
#: src/gettext_strings.rs:16
|
||||
msgid ""
|
||||
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
|
||||
"verified addresses! 📈</a> (2019-11-12)"
|
||||
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
|
||||
"certification signatures</a> (2021-09-21)"
|
||||
msgstr ""
|
||||
|
||||
#: src/gettext_strings.rs:17
|
||||
|
|
|
@ -91,7 +91,7 @@ msgid "News:"
|
|||
msgstr ""
|
||||
|
||||
#: src/gettext_strings.rs:16
|
||||
msgid "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)"
|
||||
msgid "<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)"
|
||||
msgstr ""
|
||||
|
||||
#: src/gettext_strings.rs:17
|
||||
|
|
|
@ -107,8 +107,8 @@ msgstr "ニュース:"
|
|||
|
||||
#: src/gettext_strings.rs:16
|
||||
msgid ""
|
||||
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
|
||||
"verified addresses! 📈</a> (2019-11-12)"
|
||||
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
|
||||
"certification signatures</a> (2021-09-21)"
|
||||
msgstr ""
|
||||
|
||||
#: src/gettext_strings.rs:17
|
||||
|
|
|
@ -13,7 +13,7 @@ fn _dummy() {
|
|||
t!("You can also <a href=\"/upload\">upload</a> or <a href=\"/manage\">manage</a> your key.");
|
||||
t!("Find out more <a href=\"/about\">about this service</a>.");
|
||||
t!("News:");
|
||||
t!("<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)");
|
||||
t!("<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)");
|
||||
t!("v{{ version }} built from");
|
||||
t!("Powered by <a href=\"https://sequoia-pgp.org\">Sequoia-PGP</a>");
|
||||
t!("Background image retrieved from <a href=\"https://www.toptal.com/designers/subtlepatterns/subtle-grey/\">Subtle Patterns</a> under CC BY-SA 3.0");
|
||||
|
|
|
@ -1,6 +1,41 @@
|
|||
<div class="about">
|
||||
<center><h2><a href="/about">About</a> | News | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>
|
||||
|
||||
<h2 id="2021-09-20-1pa3pc">
|
||||
<div style="float: right; font-size: small; line-height: 2em;">2021-09-20 📅</div>
|
||||
<a style="color: black;" href="/about/news#2021-09-20-1pa3pc">Support for third-party certification signatures</a>
|
||||
</h2>
|
||||
|
||||
<p>
|
||||
To address the <a href="https://lwn.net/Articles/792366/">certificate-flooding attacks</a>, Hagrid used to strip third-party certifications from certificates.
|
||||
Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications.
|
||||
|
||||
<p>
|
||||
Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate.
|
||||
In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed.
|
||||
|
||||
<p>
|
||||
dkg devised such a mechanism — nicknamed <a href="https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/-/blob/master/draft-dkg-openpgp-abuse-resistant-keystore.md#first-party-attested-third-party-certifications-fpatpc">1pa3pc</a> for first-party attested third-party certifications — and <a href="https://gitlab.com/openpgp-wg/rfc4880bis/-/blob/main/rfc4880bis.md#attested-certifications-attested-certifications">refined</a> it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group.
|
||||
Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications.
|
||||
|
||||
<p>
|
||||
To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications.
|
||||
You can see an example of such a certificate with a certification <a href="https://keys.openpgp.org/search?q=noemi-melissa%40probier.email">here</a>.
|
||||
|
||||
<p>
|
||||
This attestation has been created using Sequoia's low-level key management functions:
|
||||
|
||||
<pre>
|
||||
$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp
|
||||
$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp
|
||||
</pre>
|
||||
|
||||
By uploading <tt>mycert.attested.pgp</tt> to keys.openpgp.org, the certificate holder agrees to the attested certifications being published.
|
||||
Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them.
|
||||
|
||||
<p>
|
||||
Looking forward to transparent support in clients and a comeback of strong certification-based authentication models 🙌
|
||||
|
||||
<h2 id="2019-11-12-celebrating-100k">
|
||||
<div style="float: right; font-size: small; line-height: 2em;">2019-11-12 📅</div>
|
||||
<a style="color: black;" href="/about/news#2019-11-12-celebrating-100k">Celebrating 100.000 verified addresses! 📈</a>
|
||||
|
|
Loading…
Reference in New Issue