Initial Thoughts

Story: Reclaiming our WebTotal Replies: 3
Author Content
dotmatrix

Apr 03, 2016
10:08 AM EDT
Self hosted

Linode is also a great choice for self-hosting.

Content Metadata

There is a requirement to produce pages and content that contain meaningful and easily queryable metadata. There is also a requirement for a solution to control how metadata is made available to the various 'big' web crawlers and spiders. A large measure of the control of content is control over what 'big web' can see.

I have experimented with various architectures for exerting this control. I've found that the easiest way is to run a nearly blank main page with zero links, turn off 'indexes' in apache, and place actual content in unguessable directories. In general, my tests with this architecture results in a near zero 'big web' profile.

Quick

For an entire IaaS server self-hosted site, rsync is easily configurable to update pages and content that are written or added off line first.

Queryable

I don't know enough about this to have a basic solution to work with.

Agents

I don't know enough about this to have a basic solution to work with.

Authentication

PGP keys running through GPG are a great method of authentication. Creation of an apache auth module for PGP authentication would help in this. For those familiar with X509 certs, a PGP key which has been signed by at least one other party ...the party could even be an automated signature verified through domain level DNS public keys... is the equivalent of an X509 certs.

Extra requirement

Real privacy with regard to domain registration. There are costly registration options available, however these options necessarily rely on a third party to maintain that privacy.
ahab

Apr 05, 2016
1:48 PM EDT
Thanks for reply dotmatrix.

Linode - very nice - have not seen/used them before but is exactly what I am talking about. Will have a closer look.

Your comment about big web indexing your pages is an interesting one. Let me first say that I actually don't begrudge the search providers whatever they earn from indexing my pages. If it was not for them, nobody would find anything!! So I am assuming you are writing from the context of having pages you do *not* want to be found but giving them unguessable URLs with no links. And I can only assume this is to provide "security by obscurity" and you actually want *some* invited people to view them. Otherwise they will never be found. Of course as soon as anyone adds a link to one of the hidden URLs the search robots will find it, and the cover will be blown.

Yes rsync is nice and I also use it also to push out changes to my site.

Queryable and Agents I will come back to on my next blog. Sit tight!

And thanks for tip on PGP keys. This is one of those things that I have aware of for years and just never dug into. It sounds like there is not an auth module in Apache right now, so yes this would be the ideal place to have it. How is a key validated?

On the extra requirement, are you referring to the CAs who validate that a given https site is valid? Again I see these third parties as a necessary and fairly innocuous part of the picture. They provide a service which they charge up front for and you know exactly what you are getting. I have no big gripe with that.

My issue is more with the sites we send all our content to for the priviledge of sharing and all the unfortunate side-effects this brings with it.
dotmatrix

Apr 06, 2016
1:14 PM EDT
On PGP keys:

There is much confusion regarding PGP keys versus X509 certificates.

Generally during a discussion of cryptographic keys, someone will indicate that PGP is a 'web-of-trust' while X509 certs and CAs are centralized trust. This is misleading and not entirely correct.

If you look at a PGP key and an X509 certificate you will see that they are approximately the same. An X509 certificate is a signed public key. A PGP key is a signed public key. The keys themselves are the same or can be. In fact, you can generate a key pair with openssl and then use that key to generate a PGP key. The differences between these cryptographic items are related to who is signing the key.

With the CA architecture, the signatures on a given public key are any one of a number of designated public signers.

With a PGP key, the signatures on a given public key may be anyone or any system.

You can see that the difference lies in who is trusted, but there is no difference in the actual trust model. Both systems are 'webs-of-trust' ... the CA model is simply a web-of-trust of CAs while the PGP model is a 'web-of-trust' of unlisted signers.

However, there is a movement in the CA model to allow a domain to pick a designated CA signer. This designation can be given as a web server component [i.e. cert pinning] but a better way would be to insert the designation as a DNS record.

It might be a bit clearer now... if there is a DNS record listing a domain designated signer of cryptographic public keys... the floodgates suddenly open and any domain will be able to list any signer as valid for any type of key.

There are huge advantages to using PGP rather than X509 certificates for user authentication. There are also huge advantages to using X509 rather than PGP for SSL/TLS connections. In a DNS record designation architecture, a domain could list a regular CA as 'trusted' for SSL/TLS connections and also list a domain controlled and automated 'signer' for user submitted PGP keys.

So... SSL/TLS goes on as usual.

But... Creating a user account on a given website would go something like this:
  1. A user generates an 'authentication' PGP key pair.
  2. The user copies the 'authentication' public key into the box labelled 'public key' on the account creation page.
  3. The web server automatically signs the key.
  4. The user imports the domain signature onto the user's PGP keyring.
  5. Logging in then simply consists of presenting the signed key and proving that the user owns the private key.
The above may seem like a lot of work for a given user. However, nearly everything can be automated except choosing the 'authentication' key and entering in the secret key passphrase. It's important to note that in the above model, there is no password on a user's account. Neither the passphrase nor the private key ever leave the end-user's machine.

There are already X509 methods to use cryptographic public keys to login. This is called 'client-certificates.' Those familiar with client certs will recognize the signing process... however, PGP allows the end-user to carry around a sort-of 'wallet' of key pairs with each key pair having its own set of signatures.
ahab

Apr 12, 2016
5:29 AM EDT
Thanks for this, sorry for slow reply. I will definitely follow this through - sounds like a nice solution.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!