[Cryptography] On the deployment of client-side certs

Phillip Hallam-Baker phill at hallambaker.com
Tue Nov 22 14:50:02 EST 2016

On Wed, Nov 16, 2016 at 7:24 PM, John Gilmore <gnu at toad.com> wrote:

> > The Mesh is a user centric PKI for managing client side keys.
> It seems to depend on centralized "cloud" servers.  You forgot to
> mention this.  (Normally, what is colloquially known as a "mesh" does
> not depend on servers that are not part of the set of clients.  The
> clients "mesh" with each other, not with some third party.)
> Its dependency on this/these servers is undefined and undocumented.
> Which operations work when the server is down or the network to it is
> unavailable, and which do not?
> The link to "how to set up your own portal":
>   http://prismproof.org/UserGuide/portal
> is a 404.  And the source code links are nonexistent.

​The git hub repository links should work.​ The reference material links to
the documentation first as that is what people are more likely to be
navigating to on a regular basis. The repositories are listed under

I am currently testing out the instructions on how to start your own
portal. Taking a little more time than I hoped.

The cloud part of the Mesh does not store any confidential data. All the
confidential data is encrypted end to end under keys held at the devices.

At present the main function of the cloud service is simply to provide a
dropbox that is always available that devices can connect to. Pure peer to
peer systems are difficult to use because both peers have to be on at the
same time.

Later on, I would like to be able to expand that role so that the portal
becomes a hub through which devices can consume a range of security
services. In the near term the most important of those are secure time and
curated DNS.

For security purposes, access to a reasonably accurate clock is really
important. I am aware of Secure NTP of course. But... Well for my purposes,
I really want multiple statements about time:

1) A statement that applications can be ~100% certain of that states 'this
time has passed' which can be 24, 48 hours in the past.

2) A statement that applications can be reasonably certain of, that a
trusted party asserts that the current time is within 10 seconds of a
stated value.

3) An untrusted statement that the current time is X which is accurate to
100ms or better

That combined with the ability to make statements of the form 'I want to do
X provided you can complete before the time you think is Y' allow me to
address most of my time based security concerns.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161122/5ec4f366/attachment.html>

More information about the cryptography mailing list