[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992692: general: Use https for {deb,security}.debian.org by default

On Wed, 2021-09-08 at 13:13 +0100, Tim Woodall wrote:
> This is a bit tongue in cheek, but how about these sites where the
> .debs are downloaded from publish their *private* key? They openly
> accept that anyone can MITM them.

If you have access to the private key, you can request the CA to revoke
the certificate:

| Reasons for Revoking a Subscriber Certificate
| The CA SHALL revoke a Certificate within 24 hours if one or more of
| the following occurs:
| [...]
| 3. The CA obtains evidence that the Subscriber’s Private Key
| corresponding to the Public Key in the Certificate suffered a Key
| Compromise
+---[ https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf ]

So that would not be helpful.


Reply to: