On Thu, Jun 30, 2005 at 09:43:04PM +0100, Gervase Markham wrote: > >Why can't we leave this to the maintainer or even local admins though? > > These are two very different cases, though. If a local admin installs a > new root cert, that's cool - they are taking responsibility for the > security of those users, and they have extreme BOFH power over them > anyway. However, having the root appear by default, so that no-one at > the remote site really knows it's there (who consults the root list) and > it's now on Y thousand or million desktops - that is a different kettle > of fish. You've missed the really interesting, really important case. What about the site admin team for X thousand desktops who produce a modified firefox package to be used across the whole company? This is the normal, expected usage of Debian. > A quick reminder of what's at risk here: if the private key of a root > cert trusted by Firefox became compromised, _any_ SSL transaction that > any user trusting that cert performed could be silently MITMed and > eavesdropped on. Let's be serious here. You've already got the verisign certificates, and you've got a helpful dialog box that appears whenever new certificates are presented to the browser such that the user can just whack 'ok' without reading it. SSL security on the internet at large is a myth. Anybody who trusts it is insane; the risks aren't very significant. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature