From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Dave Taht <dave.taht@gmail.com>, Juliusz Chroboczek <jch@irif.fr>
Cc: "Michael Ströder" <michael@stroeder.com>, galene@lists.galene.org
Subject: [Galene] Re: Heads up: Galène generates self-signed certificates
Date: Wed, 24 Feb 2021 22:55:10 +0100 [thread overview]
Message-ID: <8735xl2ksh.fsf@toke.dk> (raw)
In-Reply-To: <CAA93jw4U7wCKRyCv9WzqZTN_4SyrzFSuSARkJKPaK2EpT3K9sg@mail.gmail.com>
Dave Taht <dave.taht@gmail.com> writes:
> Several notes.
>
> I strongly agree with being able to generate a self signed cert.
> Especially if you are operating a server that is off the internet,
> it's difficult to get a cert via let's encrypt,
> and asking folk to run the openssl command line is just asking for trouble.
>
> The CA authority argument has always smelt of the old key escrow argument, and
> I vastly prefer to not register some things with any centralized
> authority and explain to potential users that's why it isn't
> registered and that the "invalid cert" thing is misleading.
>
> I however wouldn't mind if that there was a command within galene to
> fire off the lets encrypt facility if a box is on the public internet
> and has working dns. shell out to acme, I think....
Or just use a Go implementation of the ACME protocol:
https://go-acme.github.io/lego/usage/library/
However, since Galene won't persist anything to disk, I'm not sure if
this is actually a good idea; you'd need to get a new cert every time
you restart the daemon, which I'm not sure is a good idea (it will
likely get you throttled, if nothing else).
-Toke
next prev parent reply other threads:[~2021-02-24 21:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-24 19:30 [Galene] " Juliusz Chroboczek
2021-02-24 19:47 ` [Galene] " Michael Ströder
2021-02-24 21:16 ` Juliusz Chroboczek
2021-02-24 21:24 ` Juliusz Chroboczek
2021-02-24 21:29 ` Dave Taht
2021-02-24 21:55 ` Toke Høiland-Jørgensen [this message]
2021-02-24 21:57 ` Michael Ströder
2021-02-24 22:25 ` Juliusz Chroboczek
2021-02-24 22:02 ` Juliusz Chroboczek
2021-02-24 21:44 ` Michael Ströder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735xl2ksh.fsf@toke.dk \
--to=toke@toke.dk \
--cc=dave.taht@gmail.com \
--cc=galene@lists.galene.org \
--cc=jch@irif.fr \
--cc=michael@stroeder.com \
--subject='[Galene] Re: Heads up: Galène generates self-signed certificates' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox