Hello,
as previously anticipated on debian-devel[1], and since nobody stepped
up for its maintenance, I am going to take sso.debian.org offline by the
end of March 2023, after 9 years of honored service.
Sites working with sso.debian.org certificates have until that time to
fix their configuration[2], since taking sso.debian.org offline will
take its CRL publishing endpoint also offline.
I would welcome better single sign-on systems for Debian than Salsa, and
sso.debian.org is not it. I'll do my part in taking it offline, and I
welcome others to do their part in spinning up something better.
Enrico
[1] https://lists.debian.org/debian-devel/2022/10/msg00223.html
[2] I have not checked if sso.debian.org could be used to craft
malicious certificates, nor if any of the current servers supporting
client cert login are running on OpenSSL 3. However, today's
disclosed vulnerability, which can be exploited via client
authentication[3], can be a good incentive to go check your web
server configurations :)
[3] https://www.openssl.org/news/vulnerabilities.html
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature