Re: TLS key for api.ftp-master.debian.org

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: debian-admin@lists.debian.org, debian-dak@lists.debian.org
Subject: Re: TLS key for api.ftp-master.debian.org
From: Mark Hymers <mhy@debian.org>
Date: Fri, 7 Nov 2014 20:17:49 +0000
Message-id: <[🔎] 20141107201749.GA14202@hymers.org.uk>
Mail-followup-to: Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-admin@lists.debian.org, debian-dak@lists.debian.org
In-reply-to: <[🔎] 21596.63768.751865.223236@chiark.greenend.org.uk>
References: <[🔎] 21596.63768.751865.223236@chiark.greenend.org.uk>

On Fri, 07, Nov, 2014 at 04:53:44PM +0000, Ian Jackson spoke thus..
> Thanks for helping with this.  When I spoke to ftpmaster et al about
> this before, we had a conversation about TLS public keys and
> certificates.
> 
> I would like the DAK API TLS security to be rooted in a
> Debian-controlled public key distributed in a package in Debian,
> rather than using a public CA.
> 
> What I suggested is here:
>   https://lists.debian.org/debian-dak/2013/11/msg00000.html
> (in `Part II').
> 
> I provided rationale for this approach, rather than using a
> conventional https public CA, here:
>   https://lists.debian.org/debian-dak/2013/11/msg00002.html
>   https://lists.debian.org/debian-dak/2013/11/msg00007.html
> (Noodles pointed out a little laterthat I should have meant
> the debian-archive-keyring package, not the debian-keyring one.
> 
> Mark Hymers agreed with me here:
>   https://lists.debian.org/debian-dak/2013/11/msg00011.html
> 
> I provided some scripts for key and cert generation, here:
>   https://lists.debian.org/debian-dak/2013/11/msg00010.html

Hi,

I agree with the concept that having a known public key is helpful so
that programs can check they're talking to who they think they are.  I
did say last year (although I just had to re-read) that a single use CA
was the better option.  I'm not so sure about it now however.

As far as I'm concerned, the main thing if we're going to publicise the
key is to have a clean rollover strategy.  Frankly, I'm not sure that I
want to commit to dealing with this side of it - SSL certs are part of
the infrastructure really, and I'm inclined to defer to DSA on this.
It's also not likely that this is the only "web" service in Debian where
we could do with a method of knowing whether we're talking to the right
service or not.  The question is, who wants to take responsibility for
sorting out the certs etc.  I'm not going to tell whoever it is (and I
don't want it to be me) how to do that job.

Mark

-- 
Mark Hymers <mhy at debian dot org>

"I told you I was ill"
     The epitaph of Spike Milligan (1918-2002)

Reply to:

Follow-Ups:
- Re: TLS key for api.ftp-master.debian.org
  - From: Peter Palfrader <weasel@debian.org>

References:
- TLS key for api.ftp-master.debian.org
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: [dak/master] Add initial suites and archives routines
Next by Date: [dak/master] Improve dsc_in_suite function documentation
Previous by thread: Re: TLS key for api.ftp-master.debian.org
Next by thread: Re: TLS key for api.ftp-master.debian.org
Index(es):
- Date
- Thread