[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS key for api.ftp-master.debian.org

On Fri, Nov 07, 2014 at 04:53:44PM +0000, Ian Jackson wrote:
> Thanks for helping with this.  When I spoke to ftpmaster et al about
> this before, we had a conversation about TLS public keys and
> certificates.
> I would like the DAK API TLS security to be rooted in a
> Debian-controlled public key distributed in a package in Debian,
> rather than using a public CA.
> What I suggested is here:
>   https://lists.debian.org/debian-dak/2013/11/msg00000.html
> (in `Part II').
> I provided rationale for this approach, rather than using a
> conventional https public CA, here:
>   https://lists.debian.org/debian-dak/2013/11/msg00002.html
>   https://lists.debian.org/debian-dak/2013/11/msg00007.html
> (Noodles pointed out a little laterthat I should have meant
> the debian-archive-keyring package, not the debian-keyring one.
> Mark Hymers agreed with me here:
>   https://lists.debian.org/debian-dak/2013/11/msg00011.html

I also talked with Ian briefly when I was thinking I'd have time to do
this at DebConf. I also very much agree with Ian's point of view, and I
think it would be extremely smart to pin the cert hard through the Debian
infra, not through the cartel (since this isn't something browsers hit)

So; +1.

> I provided some scripts for key and cert generation, here:
>   https://lists.debian.org/debian-dak/2013/11/msg00010.html
> Thanks,
> Ian.


 .''`.  Paul Tagliamonte <paultag@debian.org>  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `-     http://people.debian.org/~paultag/conduct-statement.txt

Attachment: signature.asc
Description: Digital signature

Reply to: