[liberationtech] BlackBerry and CALEA-II
Guido Witmond
guido at witmond.nl
Mon Apr 29 14:23:02 PDT 2013
On 04/29/2013 10:49 PM, Andrés Leopoldo Pacheco Sanfuentes wrote:
> Are there "truly secure" solutions? I don't think so.. especially not
> when we add the qualifier "of mass consumption "
I'm not sure. But I've given it a try. I call it eccentric
authentication. See [1], [2], [3].
In short:
It uses client side certificates (with private keys). Each account at
each site uses a different key and is a different identity.
Each site signs the certificates for its own site *only*. It uses a
First Party CA for that. That CA signs every request when the CommonName
is still available. (that's important). But only that.
By signing the site can recognise its customers based upon the
certificate and private key.
Customers can do more. They can sign blog entries at the site with their
private key, creating an unforgeable identity amongst other site-users.
I define a registry of (dis)honesty that keeps the sites and there CA's
honest with respect to keeping the CommonName unique at their site. This
is important.
The protocol uses DNSSEC and DANE to distribute server keys. There can
be only one First-Party CA for each domain name.
These two make the CN at Sitename a global unique identifier, although
completely pseudonymous. Use Tor to hide IP-addresses and become anonymous.
With decoupling identities from message addressing we can have private,
secure messaging between total strangers. The only thing they need to
trust is their computer and software and the DNSSEC root key.
Regards,
Guido Witmond.
[1] http://witmond.nl/eccentric-authentication/introduction.html
[2]
http://witmond.nl/blog/2012/10/22/announcing-eccentric-authentication.html
[3]
http://witmond.nl/blog/2012/10/22/the-worlds-most-private-dating-site.html
More information about the liberationtech
mailing list