Re: HTTPS everywhere!

To: debian-devel@lists.debian.org
Subject: Re: HTTPS everywhere!
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 17 Jun 2014 14:34:27 +0200
Message-id: <[🔎] 20140617123427.GA5479@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 53A032AB.1050802@debian.org>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] 20140612085609.GA3826@jwilk.net> <[🔎] 1402594205.5066.97.camel@heisenberg.scientia.net> <[🔎] 87tx7q9enp.fsf@aexonyam.err.no> <[🔎] 53A032AB.1050802@debian.org>

* Simon McVittie <smcv@debian.org>, 2014-06-17, 13:20:

It should be possible to make a CA certificate that is only consideredto be valid for the spi-inc.org and debian.org subtrees, and then trustthe assertion that SPI control that certificate - but in widely-usedapplications, that isn't possible.

In theory, the Name Constraints extension should allow one to achievewhat you said:

http://tools.ietf.org/html/rfc5280#section-4.2.1.10
No idea how well it is supported, though.

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: HTTPS everywhere!
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- HTTPS everywhere! (was: holes in secure apt)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: HTTPS everywhere! (was: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: HTTPS everywhere!
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: HTTPS everywhere!
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: HTTPS everywhere!
Next by Date: Bug#751885: ITP: node-express-session -- simple HTTP session middleware - Node.js module
Previous by thread: Re: HTTPS everywhere!
Next by thread: Re: HTTPS everywhere!
Index(es):
- Date
- Thread