Bug#992692: general: Use https for {deb,security}.debian.org by default
Hi,
On 02.09.21 03:22, Hideki Yamane wrote:
Providing "default secure setting" is good message to users.
The TLS layer is not part of the security model, so we'd be teaching
users to look for the wrong thing, kind of like the "encrypted with SSL"
badges on web pages in the 90ies.
We have our own PKI that is decoupled from the X.509 certificate
infrastructure, and neither ascribes any trust in them nor depends on
the availability of an external service.
As it is now, I can install a Debian system where no X.509 certificate
authorities are trusted.
- If I deselect all CAs in the configuration dialog of the
ca-certificates package, what mechanism will allow apt to work?
- Do we want to pin the certificate provider for Debian mirrors, in
the knowledge that we want to be bound to this provider for several
years, do we want any "root" CA to be able to provide a trust anchor?
- Is there a revocation mechanism by which we can mark "root" CAs as
untrustworthy?
- What does the UI look like if OSCP verification fails?
- How do mirror operators get a signed certificate?
I think we're adding a lot of complexity and external dependencies to
the system here, which adds a lot of burden to mirror operators that
aren't large CDNs. That may be acceptable for an entity like Ubuntu, who
aren't dependent on donations, but we would be tied to the goodwill of
CDN operators here, so:
- do we wish to communicate that the existing mirrors outside
deb.debian.org are somehow less "secure"?
- do we have a contingency plan if deb.debian.org hosting on Fastly is
no longer feasible?
Simon
Reply to: