Re: The Difference between debcheckout and dgit and what they try to accomplish
Colin Watson <cjwatson@debian.org> writes:
> Is it at all likely that the ftpmaster api service might migrate away
> from Let's Encrypt at this point? I would assume probably not. In that
> case, you could at least make the situation substantially better with no
> further DSA work required by pinning the appropriate LE root certificate
> in dgit.
debian.org already publishes a CAA record, which conveys that information
(although has its own verification concerns, but I think debian.org is
using DNSSEC so you can verify the record that way). It says that all
debian.org hosts will only use certificates from either LE or Amazon:
gwaihir:~$ host -t caa debian.org
debian.org has CAA record 0 iodef "mailto:dsa@debian.org"
debian.org has CAA record 128 issuewild ";"
debian.org has CAA record 128 issue "letsencrypt.org"
debian.org has CAA record 128 issue "amazon.com"
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: