[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992692: general: Use https for {deb,security}.debian.org by default


On 02.09.21 03:22, Hideki Yamane wrote:

  Providing "default secure setting" is good message to users.

The TLS layer is not part of the security model, so we'd be teaching users to look for the wrong thing, kind of like the "encrypted with SSL" badges on web pages in the 90ies.

We have our own PKI that is decoupled from the X.509 certificate infrastructure, and neither ascribes any trust in them nor depends on the availability of an external service.

As it is now, I can install a Debian system where no X.509 certificate authorities are trusted.

- If I deselect all CAs in the configuration dialog of the ca-certificates package, what mechanism will allow apt to work? - Do we want to pin the certificate provider for Debian mirrors, in the knowledge that we want to be bound to this provider for several years, do we want any "root" CA to be able to provide a trust anchor? - Is there a revocation mechanism by which we can mark "root" CAs as untrustworthy?
 - What does the UI look like if OSCP verification fails?
 - How do mirror operators get a signed certificate?

I think we're adding a lot of complexity and external dependencies to the system here, which adds a lot of burden to mirror operators that aren't large CDNs. That may be acceptable for an entity like Ubuntu, who aren't dependent on donations, but we would be tied to the goodwill of CDN operators here, so:

- do we wish to communicate that the existing mirrors outside deb.debian.org are somehow less "secure"? - do we have a contingency plan if deb.debian.org hosting on Fastly is no longer feasible?


Reply to: