[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On Tue, 2014-06-24 at 08:29 +0200, Matthias Urlichs wrote:
> The difference is that while pinning a bunch of certificates is indeed a
> lot of on-going work, pinning the CA cert used to sign these is not (set up
> the CA and install it into our software once, sign server certificates with
> that forevermore).

If that is a huge problem you just pin the CA's cert.  The assertion you
are making is: all .debian.net/.debian.org's must be signed by this
root.  To compromise Debian the attacker must compromise a CA Debian
chooses, not a CA of their choice.

It's not a new idea - Certificate Patrol already does it.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: