On Fri, Nov 07, 2014 at 04:53:44PM +0000, Ian Jackson wrote: > Thanks for helping with this. When I spoke to ftpmaster et al about > this before, we had a conversation about TLS public keys and > certificates. > > I would like the DAK API TLS security to be rooted in a > Debian-controlled public key distributed in a package in Debian, > rather than using a public CA. > > What I suggested is here: > https://lists.debian.org/debian-dak/2013/11/msg00000.html > (in `Part II'). > > I provided rationale for this approach, rather than using a > conventional https public CA, here: > https://lists.debian.org/debian-dak/2013/11/msg00002.html > https://lists.debian.org/debian-dak/2013/11/msg00007.html > (Noodles pointed out a little laterthat I should have meant > the debian-archive-keyring package, not the debian-keyring one. > > Mark Hymers agreed with me here: > https://lists.debian.org/debian-dak/2013/11/msg00011.html I also talked with Ian briefly when I was thinking I'd have time to do this at DebConf. I also very much agree with Ian's point of view, and I think it would be extremely smart to pin the cert hard through the Debian infra, not through the cartel (since this isn't something browsers hit) So; +1. > I provided some scripts for key and cert generation, here: > https://lists.debian.org/debian-dak/2013/11/msg00010.html > > Thanks, > Ian. Cheers, Paul -- .''`. Paul Tagliamonte <paultag@debian.org> | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt
Attachment:
signature.asc
Description: Digital signature