Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
norden.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Moin! Dies ist die Mastodon-Instanz für Nordlichter, Schnacker und alles dazwischen. Folge dem Leuchtturm.

Administered by:

Server stats:

3.6K
active users

norden.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#pki

2 posts2 participants0 posts today
Replied in thread
Public
Preston Maness ☭

@Xeniax Totally nerdsniped :D I'd love to be a part of the study.

I don't think that #KeyServers are dead. I think they evolved into Verifying Key Servers (VKS), like the one run by a few folks from the OpenPGP ecosystem at keys.openpgp.org/about . More generally, I believe that #PGP / #GPG / #OpenPGP retains important use-cases where accountability is prioritized, as contrasted with ecosystems (like #Matrix, #SignalMessenger) where deniability (and Perfect Forward Secrecy generally) is prioritized. Further, PGP can still serve to bootstrap those other ecosystems by way of signature notations (see the #KeyOxide project).

Ultimately, the needs of asynchronous and synchronous cryptographic systems are, at certain design points, mutually exclusive (in my amateur estimation, anyway). I don't think that implies that email encryption is somehow a dead-end or pointless. Email merely, by virtue of being an asynchronous protocol, cannot meaningfully offer PFS (or can it? Some smart people over at crypto.stackexchange.com seem to think there might be papers floating around that can get at it: crypto.stackexchange.com/quest).

To me, the killer feature of PGP is actually not encryption per se. It's certification, signatures, and authentication/authorization. I'm more concerned with "so-and-so definitely said/attested to this" than "i need to keep what so-and-so said strictly private/confidential forever and ever." What smaller countries like Croatia have done with #PKI leaves me green with envy.

keys.openpgp.orgkeys.openpgp.org
Public
Cuz :twit:

This is what innovation can do!

#AirGapped #Offline #PKI #PrivateKeys #TwoFactor- #2FA #Yubico #Yubikey

======

Vincent Bernat Turns Three YubiKeys and a Cheap Single-Board Computer Into a Secure Offline PKI
hackster.io/news/vincent-berna

---
Developer Vincent Bernat demonstrates how to turn three Yubico YubiKey USB two-factor authentication dongles into an offline public key infrastructure (PKI) using a low-cost single-board computer as an air-gapped host.

Picture of the Yubikeys used in the project
Public
Cassander

Is today #FediHire Friday? Sure looks like it!

What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large environment. Interested in relocating outside of the US. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively.

My main focus the last few years has been rebuilding and modernizing a struggling certificate management team. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack, getting a handle on our web PKI consumption, and making massive improvements to our certificate lifecycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My background in understanding deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've been training and teaching junior and mid-level engineers both practical PKI concepts and our specific enterprise requirements. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can do their best.

Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

PMs open if you want to talk details. Boosts/reshares appreciated.

#Job#GetFediHired#ITJobs
Public
Habr

Предложение Mozilla по отзыву случайных сертификатов

Разработчики Mozilla выступили с интересным предложением по оздоровлению инфраструктуры сертификатов TLS и инфраструктуры открытых ключей (PKI) в целом. Среди прочего, Центрам Сертификации предлагается массово отзывать у пользователей сертификаты, чтобы подтолкнуть их к автоматизации. Для тестирования системы ежегодно отзыву подлежит 30 случайных сертификатов.

habr.com/ru/companies/globalsi

ХабрПредложение Mozilla по отзыву случайных сертификатовРазработчики Mozilla выступили с интересным предложением по оздоровлению инфраструктуры сертификатов TLS и инфраструктуры открытых ключей (PKI) в целом. Среди прочего, Центрам Сертификации...
#Mozilla#отзыв_сертификатов#автоматизация
Public
Larvitz :fedora: :redhat:

Let's Encrypt soon starts offering TLS certificates with just 6 days of lifetime. It's just an option and the 90 day certs are also still offered but I doubt that this will add a lot of security.

letsencrypt.org/2025/01/16/6-d

Based on the number of occasions, I already had problems with the 90days renewals in the past (software bugs and human error), I see this the value in this move rather sceptical.

letsencrypt.orgAnnouncing Six Day and IP Address Certificate Options in 2025This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering. Subscribers will be able to opt in to short-lived certificates via a certificate profile mechanism being added to our ACME API.
#tls#letsencrypt#certificates
Replied to Christian
Public
mkj

@chris This sounds very similar to HTTP Public Key Pinning (HPKP), and sounds like it could have much the same issues and failure modes as HPKP. Only obvious difference being that you're proposing DNS as the delivery mechanism whereas HPKP used HTTP response headers, so it would generalize more readily to non-HTTP protocols.

#PKI#HPKP
Public
Christian

🚨 Fixing the PKI Mess: CAA + Your Own CA via DNS 🚨

Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken.

🔐 What if we could fix this using DNS?

#Introducing CAA+CA Fingerprint: Self-Sovereign Certificate Authority
Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key.

🔥 How It Works
You run your own CA (because why trust the cartel?). You then publish:
1️⃣ A CAA record specifying your own CA (with a fingerprint! 🔥)
2️⃣ A DNS record with your CA’s public key (like DKIM but for TLS!)

🔹 Example DNS Setup for `awesomecars.com`:
```
awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."
pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)
```
Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking!

🚀 Why Is This Better Than the Current CA Model?
✅ Self-Sovereign Identity: If you own the domain, you should own its PKI.
✅ Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain.
✅ Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing.
✅ No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store.
✅ Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model.

🔥 Why Isn’t This a Thing Already?
Big Tech hates this idea because it removes their control:
❌ Google wants Certificate Transparency (CT), where they control which certs are logged.
❌ Commercial CAs make $$$ selling certs. This kills their business.
❌ DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed.

Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI.

🔗 Who Needs to Implement This?
🚀 Self-hosters & Homelabs: Use this for your own infrastructure.
🚀 Email providers: Stop relying on public CAs!
🚀 Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative.
🚀 Fediverse devs: Let’s push for DNS-based CA validation!

What do you think? Would you trust your own CA in DNS over some random commercial CA?

🔁 Boost this if you want a decentralized PKI revolution!

🔥 This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust.

#PKI#Security#DNSSEC
Public *
Marcus Regenberg | marreg

#NetHSM - Das vertrauenswürdige, offene Hardware-Sicherheitsmodul, das einfach funktioniert

🇨🇭 Sicherer Speicher für kryptografische Schlüssel (z. B. #TLS von #Webservern, #DNSSEC, #PKI, #CA, #Blockchain)
🇨🇭 #OffenerQuellcode ermöglicht die Überprüfung, dass keine Hintertüren enthalten sind
🇨🇭 Einfach zu bedienen durch moderne #REST-Schnittstelle und moderne Software-Tools
🇨🇭 Hergestellt in Deutschland

nitrokey.com/de/produkte/neths

#madeingermany
Public
dorotaC

I went to #38c3 and left my laptop unplugged. Its clock stopped and it think it's December 27.

Of course, web site certificates are invalid. But why do I get #OCSP errors in #Firefox when I clearly disabled OCSP querying?

> An error occurred during a connection to search.brave.com. The OCSP response is not yet valid (contains a date in the future).

Is this a data leak about domains I visit? I'd search for info but #Brave doesn't load :P

#privacy#tls#pki
Public
gregR ☯

Et vous, ? elle commence comment votre journée ? #DCV #PKI

github.com/cabforum/servercert

> Confirming the Applicant's control over the FQDN by sending a Random Value via email, fax, SMS, or postal mail and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.

Les cartes postales, ça compte ?

GitHubservercert/docs/BR.md at main · cabforum/servercertRepository for the CA/Browser Forum Server Certificate Chartered Working Group - cabforum/servercert
Public
varx/tech

Been thinking about what the key-trust part of decentralized "social PKI" should look like.

The individual part seems straightforward: A public key, and a history of key rotations (where each key signs a message revoking itself as latest, and endorsing the next public key as latest instead.)

But how do you trust someone else's key in the first place? (Including when they lose all data and have to recreate their identity, with a new key.)

I'm very tempted to say... we can leave that to implementations, with just some strong suggestions in the spec as to how to meet different users' different needs.

One implementation could just use TOFU and notify the user if something looks wrong. Another could participate in a key-gossip system, where useragents inform each other of identity/key relationships they've seen, allowing multipath resilience against MITM. And another could go full-on PGP key-party if it really wanted to, I guess.

Does this sound reasonable? Would love to hear feedback.

:boost_ok:

#cryptography#SocialMediaDesign#PKI
Public
Neil Craig

Via @riskybiz newsletter:
Apple want to reduce TLS cert lifetimes down to 10 days by Sept 2025.

I agree with reducing lifetimes but it doesn't leave a lot of time for the many awkward use cases. We'd have to build provisioning/mgmt services & make sure we cover all our servers & hardware (at least 5 or 6 digits worth of servers/appliances). That's a *lot* of work alongside everything else we have to do (with ever-decreasing numbers of staff).

github.com/cabforum/servercert

GitHubSC-081: Introduce Schedule of Reducing Validity and Data Reuse Periods by clintwilson · Pull Request #553 · cabforum/servercertBy clintwilson
#CA#TLS#InfoSec
Public
seism0saurus

As promised, I published the slides and the notes of my session about "A private ACME compatible CA with HSM" on my blog:

seism0saurus.de/posts/private-

If you have question, feedback or find an error, feel free to contact me on Mastodon or per mail.

Also thanks to @nitrokey for the hardware security modules needed for the session.

#osco24 #osco #infosec #pki #acme

@OSCo

seism0saurus · A private ACME compatible CA with HSMI’m at the Open Security Conference right now. The osco is an Open Space conference about information security. I’m also part of the organisation team and did a season about a private ACME compatible CA with HSM. Since the conference language is english, I will also write my summary here in english.
ExploreLive feeds
About