Changes between Version 1 and Version 2 of https-for-all


Ignore:
Timestamp:
Nov 22, 2012, 1:06:50 PM (8 years ago)
Author:
Daniel Kahn Gillmor
Comment:

changed from /etc/ssl to /etc/x509; noted concern about variant http/https stanzas

Legend:

Unmodified
Added
Removed
Modified
  • https-for-all

    v1 v2  
    1212I propose the following locations, all derived from the numeric ID of the red "web configuration" object, represented here as WEBID:
    1313
    14  secret key:: `/etc/ssl/private/member_keys/WEBID.key`
    15  server certificate (cert):: `/etc/ssl/member_certs/WEBID_cert.pem`
    16  certificate signing request (CSR):: `/etc/ssl/member_csrs/WEBID.csr`
    17  intermediate CA certs (iCAs):: `/etc/ssl/member_certs/WEBID_intermediates.pem`
    18  backups:: Automatically backed-up files would go in `/etc/ssl/mfpl-backups/` and would have the timestamp (to 1Hz precision, ISO-8601 format) of the backup prefixed to their name with a dot (e.g. `/etc/ssl/mfpl-backups/2012-05-23_03:32:55.WEBID_cert.pem`)
     14 secret key:: `/etc/x509/private/member_keys/WEBID.key`
     15 server certificate (cert):: `/etc/x509/member_certs/WEBID_cert.pem`
     16 certificate signing request (CSR):: `/etc/x509/member_csrs/WEBID.csr`
     17 intermediate CA certs (iCAs):: `/etc/x509/member_certs/WEBID_intermediates.pem`
     18 backups:: Automatically backed-up files would go in `/etc/x509/mfpl-backups/` and would have the timestamp (to 1Hz precision, ISO-8601 format) of the backup prefixed to their name with a dot (e.g. `/etc/x509/mfpl-backups/2012-05-23_03:32:55.WEBID_cert.pem`)
    1919
    2020A mosh would examine its list of active web configurations from red.  for each webconfig WC, with numeric ID WEBID, it would scan these files for trouble, creating or generating them as needed.
     
    8484== mosh server changes ==
    8585
    86 Perhaps we want to expose `/etc/ssl/member_csrs` directly to the web under the mosh's canonical hostname?  That way we could link to them directly (or include them in an iframe) in the control panel's web UI.
     86Perhaps we want to expose `/etc/x509/member_csrs` directly to the web under the mosh's canonical hostname?  That way we could link to them directly (or include them in an iframe) in the control panel's web UI.
    8787
    8888== red changes ==
     
    122122As of yet, there are a few corner cases this scheme doesn't permit.
    123123
     124=== deliberately different configurations between http and https ===
     125
     126some member sites may have deliberately made different choices for their web configs between http and https.  This sounds like a bad idea in general to me; i don't know how many of them there are, either.  Hopefully we can track those differences down and help them get normalized.
     127
    124128=== CSRs that need to embed a challenge ===
    125129