+ To address the certificate-flooding attacks, Hagrid used to strip third-party certifications from certificates. + Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications. + +
+ Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate. + In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed. + +
+ dkg devised such a mechanism — nicknamed 1pa3pc for first-party attested third-party certifications — and refined it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group. + Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications. + +
+ To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications. + You can see an example of such a certificate with a certification here. + +
+ This attestation has been created using Sequoia's low-level key management functions: + +
+$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp +$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp ++ + By uploading mycert.attested.pgp to keys.openpgp.org, the certificate holder agrees to the attested certifications being published. + Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them. + +
+ Looking forward to transparent support in clients and a comeback of strong certification-based authentication models ๐ +
- {{ text "News:" }} {{ text "Celebrating 100.000 verified addresses! ๐ (2019-11-12)" }} + {{ text "News:" }} {{ text "Support for third-party certification signatures (2021-09-21)" }}
{{/with}} {{/layout}} diff --git a/po/hagrid/de.po b/po/hagrid/de.po index 5aa600def5ec20790fb545920fe9ef80d01f35a3..8efaed37715e17dafa1912c6b3e0448304046075 100644 --- a/po/hagrid/de.po +++ b/po/hagrid/de.po @@ -107,11 +107,9 @@ msgstr "News:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" -"Wir feiern 100.000 " -"รผberprรผfte Adressen! ๐ (2019-11-12)" #: src/gettext_strings.rs:17 msgid "v{{ version }} built from" @@ -481,3 +479,10 @@ msgstr "Zeitlimit beim Hochladen abgelaufen. Bitte versuch es erneut." #: src/web/vks.rs:284 msgid "Invalid verification link." msgstr "Ungรผltiger Bestรคtigungs-Link." + +#~ msgid "" +#~ "Celebrating 100.000 " +#~ "verified addresses! ๐ (2019-11-12)" +#~ msgstr "" +#~ "Wir feiern 100.000 " +#~ "รผberprรผfte Adressen! ๐ (2019-11-12)" diff --git a/po/hagrid/en.po b/po/hagrid/en.po index 0e17e97a10feea83aad947b41b5ef8f200df4270..e3f8e3b58265ab1d7569c97092fe3e0986a907e3 100644 --- a/po/hagrid/en.po +++ b/po/hagrid/en.po @@ -103,8 +103,8 @@ msgstr "News:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/po/hagrid/hagrid.pot b/po/hagrid/hagrid.pot index 116ce4ad75a4dbd8486ea26253b2484cde0f1019..4f69fbbe17ed14aa7a33b2f45682800fbf375d86 100644 --- a/po/hagrid/hagrid.pot +++ b/po/hagrid/hagrid.pot @@ -91,7 +91,7 @@ msgid "News:" msgstr "" #: src/gettext_strings.rs:16 -msgid "Celebrating 100.000 verified addresses! ๐ (2019-11-12)" +msgid "Support for third-party certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/po/hagrid/ja.po b/po/hagrid/ja.po index ef549aa2081c8c0f466937ce989564c5baed9774..c9c564338688f6f1eb2f7c4c3653f098a3c84c48 100644 --- a/po/hagrid/ja.po +++ b/po/hagrid/ja.po @@ -107,8 +107,8 @@ msgstr "ใใฅใผใน:" #: src/gettext_strings.rs:16 msgid "" -"Celebrating 100.000 " -"verified addresses! ๐ (2019-11-12)" +"Support for third-party " +"certification signatures (2021-09-21)" msgstr "" #: src/gettext_strings.rs:17 diff --git a/src/gettext_strings.rs b/src/gettext_strings.rs index 8e36a4ee5d014a7f9c8870f9c6ab24deeaa5c87e..c18e1ae13a786237388943990b16bcfa644216e2 100644 --- a/src/gettext_strings.rs +++ b/src/gettext_strings.rs @@ -13,7 +13,7 @@ fn _dummy() { t!("You can also upload or manage your key."); t!("Find out more about this service."); t!("News:"); - t!("Celebrating 100.000 verified addresses! ๐ (2019-11-12)"); + t!("Support for third-party certification signatures (2021-09-21)"); t!("v{{ version }} built from"); t!("Powered by Sequoia-PGP"); t!("Background image retrieved from Subtle Patterns under CC BY-SA 3.0"); diff --git a/templates-untranslated/about/news.html.hbs b/templates-untranslated/about/news.html.hbs index 161d22885d011dc09aeab36f9a696fb1495e8054..b3e10ef820156fcf78cd9779ea4612e14f20d128 100644 --- a/templates-untranslated/about/news.html.hbs +++ b/templates-untranslated/about/news.html.hbs @@ -1,6 +1,41 @@+ To address the certificate-flooding attacks, Hagrid used to strip third-party certifications from certificates. + Simply stripping third-party certifications does solve the problem of certificate flooding, but at the cost of breaking authentication models that require third-party certifications. + +
+ Hagrid is designed around the notion of Certificate Sovereignty, i.e. giving the certificate holder control over what is published with the certificate. + In line with this, rather than stripping certifications, a more nuanced way of preventing the flooding attack is to allow the certificate holder to chose what certifications should be distributed. + +
+ dkg devised such a mechanism — nicknamed 1pa3pc for first-party attested third-party certifications — and refined it in cooperation with Vincent Breitmoser and Werner Koch in the OpenPGP IETF working group. + Even though client support for this is currently limited to Sequoia, DKGPG, and PGPy, we are confident that other OpenPGP implementations will follow as soon as abuse-resistant key servers serve attested certifications. + +
+ To that end, we're happy to announce that keys.openpgp.org now serves attested third-party certifications. + You can see an example of such a certificate with a certification here. + +
+ This attestation has been created using Sequoia's low-level key management functions: + +
+$ sq key attest-certifications <mykey.pgp >mykey.attested.pgp +$ sq key extract-cert <mykey.attested.pgp >mycert.attested.pgp ++ + By uploading mycert.attested.pgp to keys.openpgp.org, the certificate holder agrees to the attested certifications being published. + Note: if the certificate receives additional certifications the key holder will also have to test to these for keys.openpgp.org to publish them. + +
+ Looking forward to transparent support in clients and a comeback of strong certification-based authentication models ๐ +