Jan Wildeboer 😷

(soon a blog post)

Thinking about setting up a little cooperative called #nerdcert. Where we use letsencrypt style certificate generation, renewals and distribution, with ACME support, but only for certificates that have EKU (Extended Key Usage) entries that go beyond serverAuth, the only thing Google will accept from mid next year :) Context: Thread and replies at https://social.wildeboer.net/@jwildeboer/114517884390728050

Jan Wildeboer 😷:krulorange: (@jwildeboer@social.wildeboer.net)

@phlash@mastodon.me.uk Yep. And they could allow more EKUs on the second PKI. CodeSigning, MailProtection. LetsEncrypt should be more than just the minimal ServerAuth that Google will accept. @IchEben@tootdorf.de

social.wildeboer.net
May 16 at 4:53pmWeb
Show threadJan Wildeboer 😷May 16
(some people take notes, I note such ideas as domain names ;) https://nerdcert.eu will soon get a landing page.
Show threadJan Wildeboer 😷May 16
Prelaminary landing page deployed and (irony alert) secured with a letsencrypt certificate. HELLO NERDS
Show threadJan Wildeboer 😷May 16
Site source now mirrored at https://codeberg.org/jwildeboer/nerdcertMirror where you can also open issues to discuss what to do with this idea. No pull requests, though. We are not that far yet :)
nerdcertMirror

mirror of nerdcert sources

Codeberg.org
Show threadJan Wildeboer 😷2d ago
Finished with the basics on the website, https://nerdcert.eu is now more or less at V0.1. The long blog post is next, but first I need something to eat and a lot of sleep :)
nerdcert.eu

Free certificates. For nerds. That offer more than just ServerAuth

Show threadRü2d ago
@jwildeboer I like the idea. Looking forward to learn more…. .
Show threadBen HardillMay 16

@jwildeboer For out of box solution you could look at the Small Step CA tool, there is a free version that I use to issue internal certs with ACME

https://smallstep.com/docs/step-ca/#ssh-certificate-authority

`step-ca` server

Learn about step-ca

Show threadKristofMay 16
@jwildeboer Aaaaand it is yours.
Show threadEloy 🔜 $eventNameMay 17
@jwildeboer feels like a modern CAcert.org
Show thread🔗 David SommersethMay 16
@jwildeboer I'd be willing to donate to such a service for my MX host
Show threadJens KutílekMay 16
@jwildeboer Can I haz Code Signing EKU? :)
Show threadHarald WagenerMay 17
@jwildeboer I am more than interested.
Show threadMartin SchröderMay 17
@jwildeboer
@cacert exists.
Show threadMatthew BoothMay 17

@jwildeboer Just in case you're not aware of it, this sounds like something TUF[^1] could play a useful part in. It's a cryptographic framework which allows control to be distributed among multiple parties, defining policy around the level of agreement required to change things.

[1]: https://theupdateframework.io

TUF

A framework for securing software update systems

TUF
Show threadDJ-Bauer1d ago

@jwildeboer I really like the idea and am working on a very aligned project.
Free S/MIME certs with mailbox-validation only for the beginning, but definitely plans to expand into organization or individual validation.
The homepage is nothing more than a placeholder without any information on it yet.

What types of name validations are the plan for nerdcert?

Show threadJan Wildeboer 😷1d ago
@dbauer That's the interesting part of my idea. If we set it up as a cooperative, it means that members must first pay, which second means that we have to do the KYC (Know Your Customer) dance, which would allow us to go beyond DV (Domain Validation) to EV (Extended Validation) more or less as a byproduct ;)