On Mon, Jun 16, 2014 at 07:54:40PM +0200, Christoph Anton Mitterer wrote: > On Thu, 2014-06-12 at 20:16 +0200, Tollef Fog Heen wrote: > > > Supplying the Debian Root CA to people not using Debian could have been > > > easily done by a *single* site that uses a cert available in all > > > browsers... which offers the Debian Root CA for secure and "trusted" > > > download. > > > > That's a nice theory. It does not align particularly well with what > > happens in the real world. > > Uhm... why not? > > Anyway... it would be best if such Debian Root CA could be included in > major other distros as well... so even if it's not installed by > default... people from all distros would have an easy way to securely > retrieve such root CAs, as long as they trust their own distro. I think I'm a Good Person. And I think that my fellow DSA team members are also Good People. And I think the SPI folks are Mostly Good People :) But I don't expect that to be anywhere close to sufficient for other distros to include the Debian CA (by which you probably mean the SPI CA) into their certificate stores. I'd expect them to ask us to follow processes similar to Mozilla's (https://wiki.mozilla.org/CA:How_to_apply). It's not clear to me that either SPI or Debian are prepared to do that. Maybe we should go with cacert.org... but they failed to step through the process and they're purpose built for CA management. From my perspective, HTTPS Everywhere and Archive Security are not the same. I want to provide our end users, some of whom are not sufficiently technical to decipher SSL warnings/errors with the opportunity to have secure communications (to the extent that we can, anyway). I rely on the GPG web of trust for Archive Security. If tools need to be improved, then that's where we (or "them") should focus energies (and I seem to recall seeing an apt update, recently). Cheers, Luca -- Luca Filipozzi http://www.crowdrise.com/SupportDebian
Attachment:
signature.asc
Description: Digital signature