Re: git and https
Roland Mas <lolando@debian.org> writes:
> I understand that behemoths such as Iceweasel may take some time to
> move, but maybe Git could be made to use the TLSA records in DNSSEC?
> Postfix does make use of them, and SSH uses their SSHFP cousins, so it's
> not completely an abstract idea.
> Roland,
> who spent some time DNSSECing his infrastructure and hoping it'll be
> worth it in due time.
Yeah, that would be really cool.
Also, for people coming from Debian hosts talking to the Debian
infrastructure, at least in theory we *could* do certificate pinning,
which transforms HTTPS into a worthwhile security protocol. It's not
exactly trivial to work out the UI and integration problems, and it
doesn't help for people not coming from a Debian system (at least as
much), but it might be worth considering.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: