Convergence (homepage is "an agile, distributed, and secure strategy for replacing Certificate Authorities". It seems like we should ship it at some point, as not all Tails users will learn how to deal with Monkeysphere.

{{toc}}

Next things to do

We have to wait for a decision regarding which candidate(s) we want to support for the web browser profile with no CA (Feature #5766).

Other reasons to wait

The Tor Browser Bundle developers are waiting for an external audit before shipping it.

Convergence is still not in Debian (ITP: Debian bug #640786.

Upstream bug tracker is a quite full of important bug reports right now. The lack of any SNI support is one of those. Waiting for the software to mature a bit would seem sound.

Implementation

Notaries

What set of notaries should Tails use by default?

Tor hidden services

At least one configured notary must be able to validate certificates for web servers running behind Tor hidden services, i.e. https://xxxxxxxxx.onion. Maybe better to ship a separate Iceweasel profile dedicated to this kind of browsing, that would use Monkeysphere instead of Convergence.

Captive portals

When we’ll implement support wifi hotspots with captive portals (Feature #5492), the webbrowser configuration dedicated to this task probably need to not use Convergence, as the Convergence client would not be allowed to reach the notaries.