[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fingerprint of the archive signing key

also sprach Todd Troxell <ttroxell@debian.org> [2004.07.02.0137 +0200]:
> Given enough time and and energy, any security measure will be
> subverted, and yes, probably by someone that knows what they're
> doing.  

While I agree with your statement, I find it rather unimaginable for
someone to MITM-attack an SSL channel, given that the client side
knows about SSL and expects the high security -- e.g. verifies the
certificate and otherwise protects the client computer.

Perfect security isn't possible, but you can get damn close. It all
depends on the threat model though.

So: any other voices against an SSL page for key/fingerprint
download of the archive signing key?

Please do not CC me when replying to lists; I read them!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: