On Sun, 2014-06-22 at 03:34 +0200, Christoph Anton Mitterer wrote: > Well as it should be clear to everyone by now... with a own CA and with > specifically checking for certs issued by *only that* CA you can fully > secure things like apt-listbugs. Sure, but you are no longer discussing a PKI system here. If you are going to abandon X.509 PKI, why not just use OpenPGP and just have apt-listbugs ensure whatever is downloaded is signed by our keyring. It has the major advantage that it works across mirrors.. But I guess it depends on what you want to secure. Perhaps were we depart is I don't see huge value in securing the web site. > Actually one could even go a step further,... IIRC, some domain/CA > combinations are hardcoded in browsers like Chrome/Firefox... if that > infrastructure is already in place, we could probably easily add a patch > so that our debian.org/net are only accepted with certs from the "Debian > CA". So you want to introduce pinning. Some browsers do that already. For example, Chrome pins Google's certs. Probably would not hurt. It's just a question of whether securing the web site is really worth the effort. > Don't understand what you talk about... AFAICS you can't download any > netinst images via https at all. Hmm. You are right. The situation is worse than I thought. > And the same is true when you verify via OpenPGP. No really. Yes, the distribution problem is the same when you verify via OpenPGP. The difference is for OpenPGP, Debian has already has a solution in place.
Description: This is a digitally signed message part