On Tue, Nov 19, 2002 at 10:22:10AM -0500, Matt Zimmerman wrote: >>> Another good task might be to arrange for a verifiable certificate for the >>> https services at spi-inc.org? Currently, it seems to have an expired >>> certificate for a different hostname issued by an unrecognized CA (Wichert). >> By 'verifiable', do you mean using one of the universally-recognized web >> CAs, or would it be an option to create an SPI (or Debian) CA whose CA >> cert is shipped with Debian and usable by default? > By 'verifiable', I mean a certificate which can be verified, by whatever > means, to belong to SPI, modulo a reasonable doubt. Given the policies and > (lack of) secure certificate distribution by the commercial CAs, I've no > doubt we could do better, but I have some doubt that we have justification. Yes, even though it would be less automatic for those using non-Debian web clients, I think most of us have a stronger trust relationship with any arbitrary key in the Debian strongly-connected set than with VeriSign. ;) > But this was more a snide remark than anything; it's not as if the SPI > website is processing financial transactions, but it does use SSL > for some forms. All the more reason not to deplete our accounts for something we could do just as well ourselves! -- Steve Langasek postmodern programmer
Attachment:
pgpwWfvO0_mee.pgp
Description: PGP signature