Re: Developer repositories for Debian
Le 17/05/2013 17:43, Russ Allbery a écrit :
> [...]
> 4. Hijack that metadata identity request so that it goes to their server
> instead of mine. This can be done in any number of ways (DNS cache
> poisoning, compromise of www.eyrie.org, compromise of my account on
> www.eyrie.org, TCP active MITM, etc.) depending on the situation.
> [...]
> The obvious way to authenticate the connection to www.eyrie.org to
> retrieve my metadata is to validate the www.eyrie.org certificate against
> a CA, which is where the CA cartel is reintroduced into the picture.
But if www.eyrie.org is compromised (as you seem to allow), then having
a CA-certified certificate won't help, will it?
I wouldn't rely on a trust chain involving an online private key in this
context...
--
Stéphane
Reply to: