[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On Wed, Jun 18, 2014 at 10:05:32AM -0700, Russ Allbery wrote:
> Vincent Lefevre <vincent@vinc17.net> writes:
> > On 2014-06-17 13:20:59 +0100, Simon McVittie wrote:
> >> It should be possible to make a CA certificate that is only considered to
> >> be valid for the spi-inc.org and debian.org subtrees, and then trust the
> >> assertion that SPI control that certificate - but in widely-used
> >> applications, that isn't possible. If SPI can sign certificates for
> >> debian.org, then they can also sign certificates for my bank, and my
> >> browser will think those are just as valid.
> > I agree. However I don't think that the particular case of a Debian Root CA
> > would be a problem, since you must absolutely trust it. If something bad
> > happens at this level, this would mean that downloaded packages from
> > debian.org may actually be compromised ones, and in such a case, your whose
> > machine should be regarded as compromised.
> This is only true if the root CA is maintained with the same level of
> security as the PGP signing key for the archive.  While that's something that
> we could probably do (although it's worth not underestimating how much care
> goes into maintaining that key), we cannot maintain the same level of
> security on the individual certificates signed by that CA.  In order to use
> them to secure apt transactions, this necessarily implies distributing the
> private keys across our mirror network.

We _could_ become a PKI and ask that the mirror operators submit CSRs.  They
would retain the private key, we'd issue a certificate signed by the Debian CA.
We could revoke (hah!) certificates if a mirror operator goes away or
misbehaves.  We could configure apt to only accept the Debian CA and
certificates it issues, and to fail if the CRL/OCSP is unreachable.

> The signing key for the archive is inherently much easier to secure properly
> than any user-facing key for a debian.org domain because the signing key for
> the archive can live on one and only one machine that is secured as tightly
> as we are capable of securing it and which is under the exclusive control of
> the relevant core teams in Debian.
> Because of that, I would much rather find good ways to trust the PGP
> signatures on the archive than to attempt to do anything with X.509.  The
> trust model and key management properties of X.509 are inherently inferior
> for our purposes.

But I far prefer the OpenPGP approach to securing the Archive.

Luca Filipozzi

Attachment: signature.asc
Description: Digital signature

Reply to: