[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developer repositories for Debian

Le 17/05/2013 17:43, Russ Allbery a écrit :
> [...]
> 4. Hijack that metadata identity request so that it goes to their server
>    instead of mine.  This can be done in any number of ways (DNS cache
>    poisoning, compromise of www.eyrie.org, compromise of my account on
>    www.eyrie.org, TCP active MITM, etc.) depending on the situation.
> [...]
> The obvious way to authenticate the connection to www.eyrie.org to
> retrieve my metadata is to validate the www.eyrie.org certificate against
> a CA, which is where the CA cartel is reintroduced into the picture.

But if www.eyrie.org is compromised (as you seem to allow), then having
a CA-certified certificate won't help, will it?

I wouldn't rely on a trust chain involving an online private key in this
context...

-- 
Stéphane
Reply to: