Re: certificate creation in postinst, potentially using letsencrypt script
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Aug 02, 2015 at 05:44:06PM +0200, Christoph Anton Mitterer wrote:
> Some ideas that pop up in my mind:
> - Would be yet another location of privacy leak in Debian, where the
> system automatically calls "home" to some more commercial than
> community organisations.
I agree this should not be automatic, but it would be good to support it. Note
that this is a community organization; Mozilla is a part of it, but so is the
EFF.
> - Why should Debian - as a neutral community organisation - push
> Mozilla's letsecnrypt?
Aside from it not being just Mozilla's; the answer is simple: because it helps
our goals. Encryption everywhere is a really good idea. At the moment, the
only reasonable way to get encryption witout either dealing with the companies
you hate as much as I do, or training your users to ignore really scary looking
warnings, is through this service.
> It has more or less the same inherent problems than the other CAs that
> offer "free" certs,... so why not pushing for CAcert? Or StartSSL?
> I think it's a bad development, that we get more and more "corporate"
> into Debian.
I agree that we should watch out that corporate interests do not get a place in
our decision making process. But that doesn't mean we can't use anything that
a corporation also supports, or even pays for. They don't get a vote in
Debian. They just provide a service which is aligned with our goals, and we
help our users to use that service, because we think it is good for them.
Or are you saying that this service would harm our users? If so, how?
I agree that CAcert in particular is something I would like to see supported by
Debian. On the other hand, even if they are put back in Debian's trusted
certificates list, the rest of the world would still not trust them. So using
their certificates doesn't help much compared to self signed if you have any
non-Debian visitors (and at the moment, even if if you don't).
This is similar to kernels for me: I think it would be best if everyone would
use the Hurd instead of Linux. But with the current state of affairs, that's
just not a good recommendation for most people.
> - People may automatically start using these certs, but given the
> inherent problems of the strict hierarchical X.509 system, this also
> means that one gives up control to e.g. letsencrypt, compared to self
> -signed certificates where "I'm" under complete control, and not
> potentially rogue or governmentally forced CA could issue forged
> certificates for my name.
This is simply not true. CAs can do this _anyway_. If a rogue CA decides to
hand out certificates to people who don't own the website that's on it, the
owners of those websites have a problem. There's nothing they can do about it
(except legal action and pushing for removing trust from that CA).
> - Some packages may just create such certs, but not be configured to
> ever actually use them
That sounds like a bug. We can fix bugs. :-)
> - Your idea mentioned above, of using the same cert for different
> services...
> This has advantages and disadvantages, so both should be possible or at
> least any such automatic handling shouldn't make it impossible for
> users to do whatever they like.
In particular, I would like it to be possible for users without root access to
install their own keys in a way that doesn't allow other users to read them.
> - And that later point is actually another concern.
> Automatically handling such things (e.g. the certificates) often means
> that certain constraints come up how things are expected in order to
> work.
> So any such automatic handling should be better darn good and
> completely transparent.
Of course. I think the idea is something like this:
- - Keys are installed in /etc/ssl/private/.
- - Certificates are placed in /etc/ssl/certs/.
- - Keys with their certificate in one file are generated in /etc/ssl/combined/
(which is restricted to the same users that are allowed to read
/etc/ssl/private/).
Programs can use the separate keys and certificates, or the combined ones;
whatever they need. When installing a key or certificate, a trigger must be
run to update the combined list.
Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVvlKqAAoJEJzRfVgHwHE6TpUQAJ1Qc3ZBtrEMMA7MBlpUxuHc
OoGsyPT/u9tKJGhPXAli7aI95H22EQWnz75P8YT9OvA1sMN3j5i+Uw8FnRvfN1GP
JXyX0dfgrBvYfG0Cg6fSYaWsv8QfTN3CHx46bcWMximR+EbnxQTNZT3Vp4pN1HKO
kiCLsAqJZ4hQ7jmbo/tbZX1TANuYdRSRaf7vGmMIKYOrY0tLQ0h+C8OsrlgaRoWV
zIEF+LxLMfcNggQjAGte9ZCvB9kWnbrcKIBVeYf4378X9aXSlkJCl1ifbJ9JsVsm
Os/dtX/rBQn6Lw6NH49MrHeeAXHLja8XfHM8fQyrGQPj9eh3oCxzs+r1EX8yiOce
RpdJPg0XpKOUzMOQGSOHOV/6dOJTskLi8WPOx2CM23znJFFbdCRyU9jjWF0Qo9yB
Xy3qV5asJ3cAIh/cQ9DiXs69ywpA2vIthUucM+QY95vNreNOG8ACJEgqY/7QxBBt
PfcoaFbzBwFG6mKXoWXJ50UlhaWd+DhPvTqgXVM6RMX5VxQYeViOkI2z9kgESIjn
pIRTqjEoQt7T+aWeoYBDlXThatH57VLZt+Gk+nJ30HdSuRJ0cr+kNaxhkkGPlIzG
1XHYBnBzroP2hQeosmQh89+caRJW0pwvFLJ9ka67scvLZL/GGAcnnIaXdMeKlouQ
jLxoegsM3jriCVuAtNHp
=BxUg
-----END PGP SIGNATURE-----
Reply to: