Re: git and https

To: debian-devel@lists.debian.org
Subject: Re: git and https
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 28 May 2015 15:54:21 +0000
Message-id: <[🔎] 20150528155421.GO2731@yuggoth.org>
In-reply-to: <[🔎] 87zj4pma0g.fsf@placard.fr.eu.org>
References: <[🔎] 55631103.3020200@zoho.com> <[🔎] 20150525183805.GA2452@x> <[🔎] 20150527080835.GA20359@grep.be> <[🔎] 20150527160230.GA1068@jtriplet-mobl1> <[🔎] 87pp5l5l8p.fsf@hope.eyrie.org> <[🔎] 87zj4pma0g.fsf@placard.fr.eu.org>

On 2015-05-28 09:33:35 +0200 (+0200), Roland Mas wrote:
> I understand that behemoths such as Iceweasel may take some time
> to move, but maybe Git could be made to use the TLSA records in
> DNSSEC? Postfix does make use of them, and SSH uses their SSHFP
> cousins, so it's not completely an abstract idea.

Pick your poison. I'm a fan of DANE (RFC 6698, DNSSEC+TLSA) for this
as well, but there are plenty of people hanging their hopes on HPKP
(RFC 7469, key pinning) along with CT (RFC 6962, certificate
transparency). If you rely on DNSSEC then you're trusting the
governments with control over jurisdictions where the DNS root keys
are managed not to MitM you by fabricating signed resolution chains
down to a TLSA record with the cert they want you to see. It all
depends on which tinfoil hat you find most comfortable.
-- 
Jeremy Stanley

Reply to:

References:
- git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>
- Re: git and https
  - From: Roland Mas <lolando@debian.org>

Prev by Date: Re: git and https
Next by Date: Bug#787107: ITP: purl -- URL interrogation and manipulation
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread