Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst <w@uter.be> wrote:
>Op zondag 20 juli 2014 09:23:55 schreef u:
>> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
>> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
>> > people.debian.org then due to DANE you can MITM it for HTTP as well as
>> > HTTPS, so forcing HTTPS really doesn't gain you much.
>>
>> But that implies that the attacker has access to private keys, and in
>> this
>> case you are so screwed.
>
>My point exactly: if someone can somehow MITM people.debian.org they
>have access to private key material that they shouldn't have access to.
I might me missing something, and I admit not having read the entire
thread, but how would they have access to private key material?
_My_ GPG key has never been near people.debian.org, and I suspect that
key ring management would (rightfully!) promptly kick any public key
whose private key was found on p.d.o out of the keyring.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: