On Wed, 2014-06-18 at 10:05 -0700, Russ Allbery wrote: > This is only true if the root CA is maintained with the same level of > security as the PGP signing key for the archive. Well and currently, people trust GANDI when they download (then possibly forged) Debian images? Actually even less, since on a short glance I couldn't find any verification information on the site... and you're redirected to some http-only mirror. > While that's something > that we could probably do (although it's worth not underestimating how > much care goes into maintaining that key) Well I'd say it would need about the same care that is e.g. needed to maintain debian-keyring... If the system of issuing certificates under a Debian CA is of roughly the same security level than e.g. the one that controls how is allowed to upload packages to Debian and who not... it should be plenty enough. And if your concern is that a Debian CA could be used to forge certificates for non-Debian stuff... given that we have >150 root certs in the Mozilla bundle... many of them already completely untrustworthy and many of them probably introducing intermediate CAs which are even less trustworthy... I wouldn't worry a lot here. > we cannot maintain the same > level of security on the individual certificates signed by that CA. Well sure, but that just means that the individual nodes "protected" by these certs are at risk,... e.g. your https for bugs.debian.org. And I don't see why there should be any difference here based on which CA issued such individual cert. If the server is vulnerable, than you're screwed - no matter whether it's GANDI, Verisign, or Debian CA issued. > In > order to use them to secure apt transactions, this necessarily implies > distributing the private keys across our mirror network. Whew... I've never talked bout that :D Don't get me wrong: Whenever we have the change to secure something with OpenPGP - use that (TLS/SSL and X.509 have so many inherent issues... try to avoid whenever possible). Only for services where this is not realistic (i.e. everything web-based): use our own X.509 CA. When I "complained" about the use of GANDI I rather referred to anything webbased and all possible attack vectors originating in that: - e.g. maintainers sharing/merging code via some webbased service like paste.debian.net ... or via the BTS. It could be tricky code where an attacker could introduce a non-obvious security hole, and if that is merged just because of trusting some external X.509 certs... not so nice. - users could look up security issues (https://www.debian.org/security/) or grave bugs (via apt-listbugs)... and an attacker could tell them "everything's fine" or just not list any issues at all. > Because of that, I would much rather find good ways to trust the PGP > signatures on the archive than to attempt to do anything with X.509. The > trust model and key management properties of X.509 are inherently inferior > for our purposes. Absolutely agreed... as said... I was just referring to any services where we have not much alternative than using X.509 (e.g. everything https - and I explicitly don't count in the APT https transport mode (which I think makes not much sense anyway)). Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature