[IMC-Tech] certificates

[groente]

> > This has triggered further discussion on the imc-cert list
> 
> I have not heard of that list / working group until now. Could you
> please tell me more about it?

I was directed there on irc, actually I don't know much about the history of the list, but the name sounded like a good place to discuss certificates ;-)

> > 1) the use of a wildcard-certificate would require the same private 
> > key to be shared between all sites using the wildcard certificate. 
> > This has the undesireable effect that if one site using the wildcard 
> > certificate is compromised, all SSL-traffic on the other sites using 
> > the wildcard certificate can be decrypted. The use of individual 
> > certificates overcomes the problem.
> 
> That's interesting, then I was mistaken that the keys are independent
> from the certificates when a wildcard certificate is used. Is this an
> assumption, are there any documents discussing this or has someone tried
> it out?

Well, certificates are always related to one specific key. You need a CSR to get a certificate, which is created using your key. Using a different key will result in a different csr with a different certificate.
In theory, one could have multiple keys, each with it's own wildcard certificate, but that would be very expensive and beside the point.
As usual, the wikipedia article explains it all pretty well (https://en.wikipedia.org/wiki/Public_key_certificate)

> > The imc-cert group is offcourse willing to assist local collectives
> > in the acquisition and deployment of new certificates. Simply mail
> > imc-cert at lists.indymedia.org and things will be put in motion.
> 
> Does this mean that an IMC should send a CSR to that list? Or a mail
> stating interest in a certificate from a specific CA?

That depends on the needs of the local collective. I think local collectives should decide for themselves what kind of certificate they want and organise this locally as much as possible (this would include raising funds). If there are questions or uncertainties, imc-cert is a good place to ask. Often a confirmation mail from admin at indymedia.org will be required to order a cert, that's something that can be coordinated with imc-cert.

> > Considering the fuzzyness of global process, a deadline for this 
> > proposal is set on April 1st, 2012. If nobody has blocked the 
> > proposal before then, consensus is assumed.
> 
> I am a bit lost regarding the moderation of the imc-process list as your
> mail is a (in my opinion sane and good) proposal but does not meet the
> criteria of the imc-process list: it's neither from an IMC nor
> bilingual. What should I do?

Oh dear, I wasn't aware of such criteria. If it makes people happy, I can send the same mail from info at indymedia.nl. 
Bilinguality is something I'm gonna need some help with, though (translating to dutch doesn't seem to make very much sense and I wouldn't want to embarass myself trying any other language).

x,
l.