[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developer repositories for Debian

On Fri, 10 May 2013, Paul Wise wrote:
> On Fri, May 10, 2013 at 4:33 AM, Russ Allbery wrote:
> > That level of security isn't great, though.  GPG keys are much more secure
> > than that password.  What we would want for equivalent security in a web
> > interface is personal X.509 certificates.
> >
> > I think it would be interesting to have that infrastructure in place, but
> > someone would need to build it (probably with some mechanism to bootstrap
> > GPG keys into X.509 certificates -- and be careful of expiration times and
> > figure out a good way to deal with revocation).
> That mechanism already exists (and supports SSH too):
> http://web.monkeysphere.info/

I don't think that you're speaking of the same thing. I see no information
about "X.509 client certificates" in Monkeysphere. It offers ways to
validate the server certificate (if it's not signed by known CA) but it
doesn't seem to offer any solution to manage client certificate.

That said, we already have http://sso.debian.org
(http://wiki.debian.org/DebianSingleSignOn) that we should aim to leverage
for authentication. And if it's not secure enough (and IIRC DSA doesn't
want people to use this SSO for sensitive operations), then that's the
single point where we should improve our infrastructure.

Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Reply to: