PGP-sign the list of fingerprints we use.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2014-04-12 16:39:42 +0200
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2014-04-12 16:39:42 +0200
commit: b8b6b4785e0175e564ca49f65b3786e55ba9663d (patch)
tree: 9c6f68e14b7000b67fbcd832c9aa70b7cd940a0c
parent: 0fb0253d087a8645e3ec8ccadd1009ee0a0dd133 (diff)
5 files changed, 150 insertions, 29 deletions
diff --git a/fripost-web.el b/fripost-web.el
index 3f1f298..e39a32f 100644
--- a/fripost-web.el
+++ b/fripost-web.el
@@ -51,7 +51,7 @@
 
         ("fripost-web-static"
          :base-directory ,(concat default-directory "/site/")
-         :base-extension "css\\|js\\|png\\|jpg\\|gif\\|eps\\|pdf\\|mp3\\|ogg\\|txt"
+         :base-extension "css\\|js\\|png\\|jpg\\|gif\\|eps\\|pdf\\|mp3\\|ogg\\|txt\\|asc"
          :publishing-directory ,(concat default-directory "/publish/")
          :exclude "/publish/"
          :recursive t
diff --git a/site/certifikat.org b/site/certifikat.org
deleted file mode 100644
index c9100e9..0000000
--- a/site/certifikat.org
+++ /dev/null
@@ -1,27 +0,0 @@
-#+TITLE:     Certifikat
-#+SETUPFILE: includes/level-0.org
-
-Fripost använder säkra anslutningar med certifikat från bland annat [[https://cacert.org][CAcert]]. Det
-är inte alla webbläsare som automatiskt litar på certifikat signerade av CAcert,
-och därför måste dessa webbläsare förses med [[http://www.cacert.org/index.php?id=3][CAcerts root-certifikat]].
-
-De flesta webbläsare har guider för hur man förser dem med certifikat. Artikeln
-"[[http://wiki.cacert.org/FAQ/ImportRootCert][How can I trust CAcert's root certificate?]]" beskriver också utförligt hur man
-gör.
-
-Det är bra att jämföra certifikatens fingeravtryck med några man får från en
-pålitlig källa.
-
-Detta är fingeravtryck till certificat som Fripost använder
-
-- /fripost.org/ och /mail.fripost.org/ (web)
-  SHA1 45:06:91:D4:B4:1C:32:6F:FB:5D:DE:4C:BE:FB:7D:2A:CB:30:4F:71
-- /imap.fripost.org/ (IMAP)
-  SHA1 BE:CA:4E:39:C6:11:6B:FC:70:38:6C:DB:A6:7E:1C:10:2A:E5:09:C4
-- /smtp.fripost.org/ (MSA)
-  SHA1 03:87:02:C9:6E:01:D3:AD:BC:EC:77:CC:A5:C5:37:C1:D8:C1:29:BC
-- /mail2.fripost.org/
-  SHA1 EA:50:38:19:38:6A:49:BF:5D:3C:4D:04:64:6F:0D:D3:AC:20:76:C2
-
-
-[[file:index.org][Till startsidan]].
diff --git a/site/certs b/site/certs
new file mode 100644
index 0000000..93c9b78
--- /dev/null
+++ b/site/certs
@@ -0,0 +1,64 @@
+The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all
+X.509 certificates Fripost uses on its publicly available services.  Please
+consider any mismatch as a man-in-the-middle attack, and let us know
+immediately! -- admin@fripost.org
+
+
+ * IMAP server
+    imap.fripost.org:993
+    SHA1   BE:CA:4E:39:C6:11:6B:FC:70:38:6C:DB:A6:7E:1C:10:2A:E5:09:C4
+    SHA256 12:D5:03:C2:D5:1C:D6:55:A9:50:FB:A4:99:69:E8:DC:3A:DE:50:74:D7:2A:F9:70:F2:80:73:13:CA:4D:56:B1
+
+ * SMTP servers (STARTTLS)
+    smtp.fripost.org:587 (Mail Submission Agent)
+    SHA1   03:87:02:C9:6E:01:D3:AD:BC:EC:77:CC:A5:C5:37:C1:D8:C1:29:BC
+    SHA256 6C:89:92:3C:A2:53:E0:14:9E:14:11:17:FF:FA:EB:12:3E:BA:0A:B0:C2:BE:70:18:8C:3D:7A:69:EB:00:5E:BB
+
+    mx1.fripost.org:25 (1st Mail eXchange)
+    SHA1   E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17
+    SHA256 1B:B2:4B:47:8F:8A:7A:28:F0:AC:0C:EE:A5:29:7A:F2:6A:D2:11:81:AA:DD:F7:77:A0:EA:89:A6:DD:2A:59:56
+
+ * Web servers
+    fripost.org:443 (website), mail.fripost.org:443 (webmail), lists.fripost.org:443 (list manager)
+    SHA1   E1:82:59:FD:7F:9A:11:EF:DC:1B:46:3B:AB:9F:F6:BB:A0:E4:D4:59
+    SHA256 7D:F2:7C:67:90:91:EB:5E:1E:25:D0:7B:A4:A5:72:9F:EA:20:EC:F0:74:1C:25:66:1D:72:56:A3:3B:53:D9:9A
+
+    wiki.fripost.org:443 (wiki)
+    SHA1   96:4E:77:71:F3:2B:C7:60:50:58:37:53:C4:B1:F1:50:95:69:FD:C0
+    SHA256 D0:02:01:81:03:86:F3:53:8A:BA:DE:7D:07:D5:E0:31:D8:5B:5D:35:72:BC:68:8B:E4:BF:86:33:42:43:21:90
+
+    git.fripost.org:443 (git server and its web interface)
+    SHA1   EA:50:38:19:38:6A:49:BF:5D:3C:4D:04:64:6F:0D:D3:AC:20:76:C2
+    SHA256 08:D9:18:05:A3:F5:B6:8E:20:81:E1:8A:36:1B:44:AD:4E:36:6D:D1:BA:FC:3D:26:F9:F5:4B:68:A9:0F:F3:21
+
+    antilop.fripost.org:443 (list manager)
+    SHA1   6F:1A:3B:0F:2C:5A:BC:33:09:C6:D4:F8:43:2C:07:6E:B0:FD:DB:7B
+    SHA256 FA:AC:E2:4C:C7:DD:D8:A6:24:20:0E:48:FC:91:D2:F0:CC:BD:BD:57:B1:F9:67:84:73:96:F1:90:4C:50:C1:F1
+
+
+To get the whole certificate for imap.fripost.org:993, type the following
+command in a shell:
+
+    openssl s_client -connect imap.fripost.org:993 </dev/null
+
+(For protocols using the STARTTLS directive such as SMTP, you'll have to call
+s_client with '-starttls smtp'.  Another useful option is '-showcerts', which
+prints the whole server certificate chain.)
+
+You'll find the X.509 certificate wrapped between
+
+    -----BEGIN CERTIFICATE-----
+    [...]
+    -----END CERTIFICATE-----
+
+If you store it (including the delimiters) into /path/to/certificate.pem,
+you can then ensure that its fingerprints match the ones above:
+
+    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha1
+    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha256
+
+Alternatively, using a pipe:
+
+    openssl s_client -connect imap.fripost.org:993 </dev/null \
+    | openssl x509 -noout -fingerprint -sha256
+
diff --git a/site/certs.asc b/site/certs.asc
new file mode 100644
index 0000000..ecb8fee
--- /dev/null
+++ b/site/certs.asc
@@ -0,0 +1,84 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all
+X.509 certificates Fripost uses on its publicly available services.  Please
+consider any mismatch as a man-in-the-middle attack, and let us know
+immediately! -- admin@fripost.org
+
+
+ * IMAP server
+    imap.fripost.org:993
+    SHA1   BE:CA:4E:39:C6:11:6B:FC:70:38:6C:DB:A6:7E:1C:10:2A:E5:09:C4
+    SHA256 12:D5:03:C2:D5:1C:D6:55:A9:50:FB:A4:99:69:E8:DC:3A:DE:50:74:D7:2A:F9:70:F2:80:73:13:CA:4D:56:B1
+
+ * SMTP servers (STARTTLS)
+    smtp.fripost.org:587 (Mail Submission Agent)
+    SHA1   03:87:02:C9:6E:01:D3:AD:BC:EC:77:CC:A5:C5:37:C1:D8:C1:29:BC
+    SHA256 6C:89:92:3C:A2:53:E0:14:9E:14:11:17:FF:FA:EB:12:3E:BA:0A:B0:C2:BE:70:18:8C:3D:7A:69:EB:00:5E:BB
+
+    mx1.fripost.org:25 (1st Mail eXchange)
+    SHA1   E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17
+    SHA256 1B:B2:4B:47:8F:8A:7A:28:F0:AC:0C:EE:A5:29:7A:F2:6A:D2:11:81:AA:DD:F7:77:A0:EA:89:A6:DD:2A:59:56
+
+ * Web servers
+    fripost.org:443 (website), mail.fripost.org:443 (webmail), lists.fripost.org:443 (list manager)
+    SHA1   E1:82:59:FD:7F:9A:11:EF:DC:1B:46:3B:AB:9F:F6:BB:A0:E4:D4:59
+    SHA256 7D:F2:7C:67:90:91:EB:5E:1E:25:D0:7B:A4:A5:72:9F:EA:20:EC:F0:74:1C:25:66:1D:72:56:A3:3B:53:D9:9A
+
+    wiki.fripost.org:443 (wiki)
+    SHA1   96:4E:77:71:F3:2B:C7:60:50:58:37:53:C4:B1:F1:50:95:69:FD:C0
+    SHA256 D0:02:01:81:03:86:F3:53:8A:BA:DE:7D:07:D5:E0:31:D8:5B:5D:35:72:BC:68:8B:E4:BF:86:33:42:43:21:90
+
+    git.fripost.org:443 (git server and its web interface)
+    SHA1   EA:50:38:19:38:6A:49:BF:5D:3C:4D:04:64:6F:0D:D3:AC:20:76:C2
+    SHA256 08:D9:18:05:A3:F5:B6:8E:20:81:E1:8A:36:1B:44:AD:4E:36:6D:D1:BA:FC:3D:26:F9:F5:4B:68:A9:0F:F3:21
+
+    antilop.fripost.org:443 (list manager)
+    SHA1   6F:1A:3B:0F:2C:5A:BC:33:09:C6:D4:F8:43:2C:07:6E:B0:FD:DB:7B
+    SHA256 FA:AC:E2:4C:C7:DD:D8:A6:24:20:0E:48:FC:91:D2:F0:CC:BD:BD:57:B1:F9:67:84:73:96:F1:90:4C:50:C1:F1
+
+
+To get the whole certificate for imap.fripost.org:993, type the following
+command in a shell:
+
+    openssl s_client -connect imap.fripost.org:993 </dev/null
+
+(For protocols using the STARTTLS directive such as SMTP, you'll have to call
+s_client with '-starttls smtp'.  Another useful option is '-showcerts', which
+prints the whole server certificate chain.)
+
+You'll find the X.509 certificate wrapped between
+
+    -----BEGIN CERTIFICATE-----
+    [...]
+    -----END CERTIFICATE-----
+
+If you store it (including the delimiters) into /path/to/certificate.pem,
+you can then ensure that its fingerprints match the ones above:
+
+    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha1
+    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha256
+
+Alternatively, using a pipe:
+
+    openssl s_client -connect imap.fripost.org:993 </dev/null \
+    | openssl x509 -noout -fingerprint -sha256
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQIcBAEBCgAGBQJTSU92AAoJENOaSZw8IaVSsWcP/AimO4TNvymyWUlqeIzHLFrU
+i6trb3v0uU8F+3WJ+gq8h8IXy0zdICDHeMOHCFMZXmZSxm2RS0ZTNGziSQseky4y
+RC2qPEamicRpZaKrt6X6KJeafznP3+Z1hKiycg9RiSFomNsbV1R4AwPguCB7gZbm
+3TrTFyARRQOyGlBLY+/2IFL3j4+TDfTU+fXUt7+R9PzOzydZ8mdsZjnDPjtlqlCj
+CICMFosB4h2vtR4ZsBoXKZnEPDKWTd3DStOOZXTcfW6K6BNZmYn0/J4OMMSAS7pb
+fTvQwTabCUdTQ8Dl5nmboe4SK4IwMOVl9DsVhf3ZM6NbpahS+JABYlVGIYRKbdVy
+ZETwZEkpR21gZ1nPQUyRWIHNfz2DOmIWhPJcY1/AUYBmG+tKsHlc1KosD0p6iMAU
+GZR6VJgH6N/aKnUwNMd8+sG+34rwe1/IPCvRTYZCZSnMLzQsGC/WRQ5bAjYsjEl3
+HN9oGx33Hnt9azFEtngyGha2L/yJPw5WGjEcILNQ/uSv10j+KeAQEOnI8jH3KqvM
+iLZWBSm7OMSqqmbXsM0yYRCNoazc1NwO+MH9vrBFRjXhjQuSSs6vV+BVJyZVp+nR
+XVaLddtEqnkt6JOvmPLqMJhBxM+e2T3tqtmJA5p/BB/beNbqvOylY6P7K4on3yai
+sh4ULgskT/YR5Qqdq5Fx
+=pjeq
+-----END PGP SIGNATURE-----
diff --git a/site/index.org b/site/index.org
index a278f2e..180bae7 100644
--- a/site/index.org
+++ b/site/index.org
@@ -12,7 +12,7 @@
   <h1>Certifikat</h1>
   <p>
     Fripost använder säkra anslutningar. Läs mer om
-    <a href="certifikat.html">Friposts certifikat här</a>
+    <a href="certs.asc">Friposts certifikat här</a>
   </p>
 </div>
 #+END_HTML
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2014-04-12 16:39:42 +0200
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2014-04-12 16:39:42 +0200
commit	b8b6b4785e0175e564ca49f65b3786e55ba9663d (patch)
tree	9c6f68e14b7000b67fbcd832c9aa70b7cd940a0c
parent	0fb0253d087a8645e3ec8ccadd1009ee0a0dd133 (diff)