[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On 2014-06-17 13:20:59 +0100, Simon McVittie wrote:
> It should be possible to make a CA certificate that is only considered
> to be valid for the spi-inc.org and debian.org subtrees, and then trust
> the assertion that SPI control that certificate - but in widely-used
> applications, that isn't possible. If SPI can sign certificates for
> debian.org, then they can also sign certificates for my bank, and my
> browser will think those are just as valid.

I agree. However I don't think that the particular case of a
Debian Root CA would be a problem, since you must absolutely
trust it. If something bad happens at this level, this would
mean that downloaded packages from debian.org may actually
be compromised ones, and in such a case, your whose machine
should be regarded as compromised.

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: