Re: HTTPS everywhere!

To: debian-devel@lists.debian.org
Subject: Re: HTTPS everywhere!
From: Tollef Fog Heen <tfheen@err.no>
Date: Sat, 21 Jun 2014 16:40:34 +0200
Message-id: <[🔎] 87simyjpgd.fsf@aexonyam.err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1403297908.4386.49.camel@heisenberg.scientia.net> (Christoph Anton Mitterer's message of "Fri, 20 Jun 2014 22:58:28 +0200")
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] 20140612085609.GA3826@jwilk.net> <[🔎] 1402594205.5066.97.camel@heisenberg.scientia.net> <[🔎] 87tx7q9enp.fsf@aexonyam.err.no> <[🔎] 1402941280.4787.76.camel@heisenberg.scientia.net> <[🔎] 20140616182536.GA9253@emyr.net> <[🔎] 1403060049.4774.54.camel@heisenberg.scientia.net> <[🔎] 1403065210.4973.170.camel@russell-laptop.pc.brisbane.lube> <[🔎] 1403297908.4386.49.camel@heisenberg.scientia.net>

]] Christoph Anton Mitterer 

> A user of Debian already fully trusts us (by using our distro, where we
> could do basically everything).

That user trusts us to build a distro fairly competently, something we
have a history of doing.

> If he ultimately trusts our X.509 root, he doesn't give us more trust,
> than he already did.

That user would then trust us to run a CA competently, something we as a
project don't have a history of doing, so they have no reason to believe
we can do so.

Running a good CA is not a trivial effort.

> Of course this still doesn't solve the problem of e.g. browsers, that
> they have gazillions of CAs, and each could issue forged certs for
> Debian hosts, but at least it technically allows the user (or programs
> like apt-listbugs) to _really fully securely_ contact Debian services
> via TLS/SSL with X.509 - something which is not possible with
> GANDI/CAcert or any other non-Debian-managed CAs.

Either cert pinning or DTLSA records would be better solutions here.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: HTTPS everywhere!
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- HTTPS everywhere! (was: holes in secure apt)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: HTTPS everywhere! (was: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: HTTPS everywhere!
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: HTTPS everywhere!
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: HTTPS everywhere!
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: HTTPS everywhere!
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: HTTPS everywhere!
  - From: Russell Stuart <russell-debian@stuart.id.au>
- Re: HTTPS everywhere!
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: maintainership of pv, status of kcoyner
Next by Date: Re: HTTPS everywhere!
Previous by thread: Re: HTTPS everywhere!
Next by thread: Re: HTTPS everywhere!
Index(es):
- Date
- Thread