Daniel Black
Daniel Black
Daniel s a CAcert Infrastructure System Administrator and has deployed client certificate authentication on a number of CAcert services. He is a developer of Certificate Plug-in for RoundCube webmail and contributed patches to Sympa, and openssl; and will hopefully complete Postfix and Dovecot Certificate/OCSP patches by presentation time. He is also a Gentoo Developer, and has presented to Canberra Linux Users Group on CAcert, Autoconf and how it works, and Packaging Software for distribution.
Daniel has a Masters Degree in Computer Science covering security and cryptography topics.
Not another damn password! It's the 21st Century after all
Transforming the infrastructure of CAcert into something certificate based was a good exercise in removing passwords and making a community certificate authority more accessible to the community it serves.
Passwords - so easy to setup and the entry barrier it introduces and the support barrier so easily forgotten.
Why is it a problem? Web 2.0 - you want interaction with the community. How much of the community have you prevented by you choosing the default password based install.
Solutions:
- OpenID
- LDAP/Kerberos
- CAS
- (other)
- And what I did - "certificate authentication in everything".
Why? Well this was CAcert - "eat your own dogfood" came to mind.
(An explanation as to what is client certificate authentication briefly).
IMAP/POP3 and SMTP had passwords. Problem of email client support and icky server implementation. Solution -> a simple single PHP web page with a client certificate authentication that could reset passwords. Looking under the hood - this is what the Apache configuration looked like and this is what the PHP looked like.
Webmail how to deploy a plug-in for Roundcube. How easy is it?
Something harder - web interface to email lists. Migrated Mailman to Sympa which already supported certificate authentication. Features of Sympa and the benefits to CAcert of this migration.
Small Gotchas - Firefox and certificates. Detail about oddities of client certificate implementation in Firefox.
How to require certificate support without support costs for this error: "(Error code: ssl_error_handshake_failure_alert)". Costs to CAcert of this error in number of support requests and lost community. Solution - optional certificate authentication with Apache and mod_rewrite to show friendly errors. Problem with solution - Safari - its inner workings and how to accommodate it.
Opening up Subversion with certificates and the improved community participation. And others - wiki - bugs - blog - board and association voting system all resulting benefits of increased participation.
Downsides. Tips and tricks. Questions.
DKIM - Anti Email Forgery
Domain Keys Identified Mail (DKIM) is an email anti-spoofing protocol using digital signatures. It provides senders with a way to prove email from their domain has not been tampered or forged, and provides receivers a mechanism to validate email content without prior arrangement. Author Domain Signing Practices (ADSP) supports the lack of prior arrangement by indicating, based on the email From header field, whether a sender signs all email. Difficulties can arise because of email lists as they sometimes modify email content, and preserve From header fields, hence invalidating signatures and ADSP verification. However this paper suggests solutions for mailing list developers and their administrators and work-arounds for the receiver handling invalid signatures on email lists.
Published Oct 24, 2009.
hm, I like these ideas about passwords which really annoy me!