On Fri, 29 May 2015 13:55:31 +0800 Paul Wise <pabs@debian.org> wrote: > On Fri, May 29, 2015 at 7:40 AM, Russ Allbery wrote: > > > I'm fine with locking the doors. I'm not fine with paying protection > > money to a Mafia goon who claims they'll lock your windows, and sort of > > sometimes does. It's the extortion component that pisses me off about > > HTTPS. > > LetsEncrypt will save us! I just looked that up. What a wonderful idea! > > If we can use a Debian-specific CA, we can do cert pinning, since we're > > then assuming we have some control over the client. I was assuming a > > general client where we'd have to play nice with the normal CA roots. > > Then we would constantly get complaints from Ubuntu/etc > developers/users about why Debian uses invalid certs, as we did before > Debian moved to mafia certs. Unfortunately I don't think it is > possible to use both mafia CAs and non-mafia CAs without adding say a > lot of non-mafia subdomains, like non-mafia.www.debian.org. If having to manually add a CA annoys the Ubuntu developers that much, then surely they could just include the Debian CA certificate to Ubuntu's default? Anyway, I don't see the point in using both mafia CAs and non-mafia CAs. If you get the mafia CAs, you'll still be paying the extortion money regardless of whether or not you use the non-mafia CAs.
Attachment:
pgpZom2QMpc5z.pgp
Description: PGP signature