[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS key for api.ftp-master.debian.org

On Fri, 07 Nov 2014, Mark Hymers wrote:

> As far as I'm concerned, the main thing if we're going to publicise the
> key is to have a clean rollover strategy.  Frankly, I'm not sure that I
> want to commit to dealing with this side of it - SSL certs are part of
> the infrastructure really, and I'm inclined to defer to DSA on this.

We (and SPI) have operated an X509 CA in the past.

The way it is and was run is far below par.  If any of the cabforum
members operated their CA that way, and it became public, I'm not sure
what people would say.  Nothing nice, and they'd be right.

So, if we've learned anything from that, it's that we don't want to run

If you do not trust the cab forum members, you have alternatives:

On debian.org systems, you can rely on /etc/ssl/certs to have a copy of
the correct EE certificate if you want to use that.  For now, all these
certs also live in the public DSA puppet git repository.

A more scalable approach is to use the DNS to authenticate the
certificate [RFC 6698].  You can either always chain off the root, or
you can get a debian.org DNSKEY once:  We have so far constrained our
rollover-timing to facilitate [RFC 5011] style handling of trust anchors
by clients.  Indeed, our own infrastructure uses that to keep trac of
the proper debian.org DNSKEY.

                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to: