Verified Commit 0e08808a authored by Justus Winter's avatar Justus Winter
Browse files

Add news entry for 1pa3pc.

parent 90356ddb
Pipeline #374392037 passed with stage
in 12 minutes and 28 seconds
......@@ -2,6 +2,41 @@
<div class="about">
<center><h2><a href="/about">About</a> | News | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>
<h2 id="2021-09-20-1pa3pc">
<div style="float: right; font-size: small; line-height: 2em;">2021-09-20 📅</div>
<a style="color: black;" href="/about/news#2021-09-20-1pa3pc">Support for third-party certification signatures</a>
</h2>
<p>
To address the <a href="https://lwn.net/Articles/792366/">certificate-flooding attacks</a>, Hagrid used to strip third-party certifications from certificates.
Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications.
<p>
Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate.
In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed.
<p>
dkg devised such a mechanism &mdash; nicknamed <a href="https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/-/blob/master/draft-dkg-openpgp-abuse-resistant-keystore.md#first-party-attested-third-party-certifications-fpatpc">1pa3pc</a> for first-party attested third-party certifications &mdash; and <a href="https://gitlab.com/openpgp-wg/rfc4880bis/-/blob/main/rfc4880bis.md#attested-certifications-attested-certifications">refined</a> it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group.
Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications.
<p>
To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications.
You can see an example of such a certificate with a certification <a href="https://keys.openpgp.org/search?q=noemi-melissa%40probier.email">here</a>.
<p>
This attestation has been created using Sequoia's low-level key management functions:
<pre>
$ sq key attest-certifications &lt;mykey.pgp &gt;mykey.attested.pgp
$ sq key extract-cert &lt;mykey.attested.pgp &gt;mycert.attested.pgp
</pre>
By uploading <tt>mycert.attested.pgp</tt> to keys.openpgp.org, the certificate holder agrees to the attested certifications being published.
Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them.
<p>
Looking forward to transparent support in clients and a comeback of strong certification-based authentication models 🙌
<h2 id="2019-11-12-celebrating-100k">
<div style="float: right; font-size: small; line-height: 2em;">2019-11-12 📅</div>
<a style="color: black;" href="/about/news#2019-11-12-celebrating-100k">Celebrating 100.000 verified addresses! 📈</a>
......
......@@ -4,6 +4,12 @@
<link href="{{ base_uri }}/atom.xml" rel="self"/>
<id>urn:uuid:8e783366-73b1-460e-83d3-42f01046646d</id>
<updated>2019-11-12T12:00:00Z</updated>
<entry>
<title>Support for third-party certification signatures</title>
<link href="{{ base_uri }}/about/news#2021-09-20-1pa3pc" />
<updated>2021-09-21T12:00:00Z</updated>
<id>urn:uuid:aca50bf2-5310-4d6a-8ee1-d361be7ce201</id>
</entry>
<entry>
<title>Celebrating 100.000 verified addresses! 📈</title>
<link href="{{ base_uri }}/about/news#2019-11-12-celebrating-100k" />
......
......@@ -25,7 +25,7 @@
<hr />
<p>
<strong>{{ text "News:" }}</strong> {{ text "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)" }}
<strong>{{ text "News:" }}</strong> {{ text "<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)" }}
</p>
{{/with}}
{{/layout}}
......@@ -107,11 +107,9 @@ msgstr "News:"
#: src/gettext_strings.rs:16
msgid ""
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
"verified addresses! 📈</a> (2019-11-12)"
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
"certification signatures</a> (2021-09-21)"
msgstr ""
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Wir feiern 100.000 "
"überprüfte Adressen! 📈</a> (2019-11-12)"
#: src/gettext_strings.rs:17
msgid "v{{ version }} built from"
......@@ -481,3 +479,10 @@ msgstr "Zeitlimit beim Hochladen abgelaufen. Bitte versuch es erneut."
#: src/web/vks.rs:284
msgid "Invalid verification link."
msgstr "Ungültiger Bestätigungs-Link."
#~ msgid ""
#~ "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
#~ "verified addresses! 📈</a> (2019-11-12)"
#~ msgstr ""
#~ "<a href=\"/about/news#2019-11-12-celebrating-100k\">Wir feiern 100.000 "
#~ "überprüfte Adressen! 📈</a> (2019-11-12)"
......@@ -103,8 +103,8 @@ msgstr "News:"
#: src/gettext_strings.rs:16
msgid ""
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
"verified addresses! 📈</a> (2019-11-12)"
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
"certification signatures</a> (2021-09-21)"
msgstr ""
#: src/gettext_strings.rs:17
......
......@@ -91,7 +91,7 @@ msgid "News:"
msgstr ""
#: src/gettext_strings.rs:16
msgid "<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)"
msgid "<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)"
msgstr ""
#: src/gettext_strings.rs:17
......
......@@ -107,8 +107,8 @@ msgstr "ニュース:"
#: src/gettext_strings.rs:16
msgid ""
"<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 "
"verified addresses! 📈</a> (2019-11-12)"
"<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party "
"certification signatures</a> (2021-09-21)"
msgstr ""
#: src/gettext_strings.rs:17
......
......@@ -13,7 +13,7 @@ fn _dummy() {
t!("You can also <a href=\"/upload\">upload</a> or <a href=\"/manage\">manage</a> your key.");
t!("Find out more <a href=\"/about\">about this service</a>.");
t!("News:");
t!("<a href=\"/about/news#2019-11-12-celebrating-100k\">Celebrating 100.000 verified addresses! 📈</a> (2019-11-12)");
t!("<a href=\"/about/news#2021-09-20-1pa3pc\">Support for third-party certification signatures</a> (2021-09-21)");
t!("v{{ version }} built from");
t!("Powered by <a href=\"https://sequoia-pgp.org\">Sequoia-PGP</a>");
t!("Background image retrieved from <a href=\"https://www.toptal.com/designers/subtlepatterns/subtle-grey/\">Subtle Patterns</a> under CC BY-SA 3.0");
......
<div class="about">
<center><h2><a href="/about">About</a> | News | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>
<h2 id="2021-09-20-1pa3pc">
<div style="float: right; font-size: small; line-height: 2em;">2021-09-20 📅</div>
<a style="color: black;" href="/about/news#2021-09-20-1pa3pc">Support for third-party certification signatures</a>
</h2>
<p>
To address the <a href="https://lwn.net/Articles/792366/">certificate-flooding attacks</a>, Hagrid used to strip third-party certifications from certificates.
Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications.
<p>
Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate.
In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed.
<p>
dkg devised such a mechanism &mdash; nicknamed <a href="https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/-/blob/master/draft-dkg-openpgp-abuse-resistant-keystore.md#first-party-attested-third-party-certifications-fpatpc">1pa3pc</a> for first-party attested third-party certifications &mdash; and <a href="https://gitlab.com/openpgp-wg/rfc4880bis/-/blob/main/rfc4880bis.md#attested-certifications-attested-certifications">refined</a> it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group.
Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications.
<p>
To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications.
You can see an example of such a certificate with a certification <a href="https://keys.openpgp.org/search?q=noemi-melissa%40probier.email">here</a>.
<p>
This attestation has been created using Sequoia's low-level key management functions:
<pre>
$ sq key attest-certifications &lt;mykey.pgp &gt;mykey.attested.pgp
$ sq key extract-cert &lt;mykey.attested.pgp &gt;mycert.attested.pgp
</pre>
By uploading <tt>mycert.attested.pgp</tt> to keys.openpgp.org, the certificate holder agrees to the attested certifications being published.
Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them.
<p>
Looking forward to transparent support in clients and a comeback of strong certification-based authentication models 🙌
<h2 id="2019-11-12-celebrating-100k">
<div style="float: right; font-size: small; line-height: 2em;">2019-11-12 📅</div>
<a style="color: black;" href="/about/news#2019-11-12-celebrating-100k">Celebrating 100.000 verified addresses! 📈</a>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment