[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On Mon, Jun 16, 2014 at 07:54:40PM +0200, Christoph Anton Mitterer wrote:
> On Thu, 2014-06-12 at 20:16 +0200, Tollef Fog Heen wrote: 
> > > Supplying the Debian Root CA to people not using Debian could have been
> > > easily done by a *single* site that uses a cert available in all
> > > browsers... which offers the Debian Root CA for secure and "trusted"
> > > download.
> > 
> > That's a nice theory.  It does not align particularly well with what
> > happens in the real world.
> Uhm... why not?
> Anyway... it would be best if such Debian Root CA could be included in
> major other distros as well... so even if it's not installed by
> default... people from all distros would have an easy way to securely
> retrieve such root CAs, as long as they trust their own distro.

I think I'm a Good Person.  And I think that my fellow DSA team members are
also Good People.  And I think the SPI folks are Mostly Good People :) 

But I don't expect that to be anywhere close to sufficient for other distros to
include the Debian CA (by which you probably mean the SPI CA) into their
certificate stores.  I'd expect them to ask us to follow processes similar to
Mozilla's (https://wiki.mozilla.org/CA:How_to_apply).  It's not clear to me
that either SPI or Debian are prepared to do that.  Maybe we should go with
cacert.org... but they failed to step through the process and they're purpose
built for CA management.

From my perspective, HTTPS Everywhere and Archive Security are not the same.

I want to provide our end users, some of whom are not sufficiently technical to
decipher SSL warnings/errors with the opportunity to have secure communications
(to the extent that we can, anyway).  I rely on the GPG web of trust for
Archive Security.  If tools need to be improved, then that's where we (or
"them") should focus energies (and I seem to recall seeing an apt update,



Luca Filipozzi

Attachment: signature.asc
Description: Digital signature

Reply to: