On Sat, 2014-06-21 at 17:58 +0200, Christoph Anton Mitterer wrote: > Take Turktrust as an example... IIRC the case correctly, they > "accidentally" (whoever believes that) issued a cert which was a > intermediate CA and which was used to issue forged Google certs. > After days and only after long discussion they only blocked these > certs... and Turktrust itself is still in (see > https://bugzilla.mozilla.org/show_bug.cgi?id=826666 or some similar > reports from others) even though they proved that they're either not > competent enough to run a CA or they're evil. > And such CAs (even though they're not big enough not to fail) are not > removed, which proves: the reason to be in the Mozilla bundle (i.e. > considered to be trustworthy) <-> money > > Same example CNNIC... governmental controlled CA from a dictatorial > communist country which is known for heavy espionage against their own > and foreign citizens => absolutely untrustworthy per se > > Any US based CA: national security letters + gag orders => absolutely > untrustworthy per se The problem isn't that government security agencies can in all likelihood MITM any connection they wish. I'm sure that's true, but I'm equally sure they don't do it that often for fear of being caught. It's actually far worse than that. The problem is where I live every school, most government organisations, and many private organisations routinely MITM https connections passing through their infrastructure. Given that is so, I am struggling to understand what you hope to achieve by setting up yet another CA. You are operating over the same infrastructure, with all it's problems. There is one easy way to tighten things up. Currently, if a Debian user wants a netinst the best option we offer him is to use https://www.debian.org/CD/netinst/ and rely on the X.509 PKI to ensure he is getting the real McCoy. That makes the download step the weakest link in the chain, because if I can substitute that netinst for one that includes my keys in the keyring package, I own him. And given the state of X.509 PKI, substituting it is relatively easy. For existing Debian users, closing that loophole is easy: make netinst a package, that can be downloaded and installed using apt.
Attachment:
signature.asc
Description: This is a digitally signed message part