Bug#992692: general: Use https for {deb,security}.debian.org by default

To: 992692@bugs.debian.org
Subject: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Ansgar <ansgar@43-1.org>
Date: Wed, 08 Sep 2021 14:20:49 +0200
Message-id: <[🔎] 0f6dbd2129ace94c06f318be6bacb640539d01eb.camel@43-1.org>
Reply-to: Ansgar <ansgar@43-1.org>, 992692@bugs.debian.org
In-reply-to: <[🔎] alpine.DEB.2.21.2109081308300.18789@einstein.home.woodall.me.uk>
References: <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <YTiZ2fipJll/LgKz@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] ca14340e6210ef3779fb89e0f6fd151ce5e73622.camel@43-1.org> <YTikKFgV74s/TRoz@alf.mars> <[🔎] alpine.DEB.2.21.2109081308300.18789@einstein.home.woodall.me.uk> <162963701727.2536441.3655242380753523899.reportbug@tiny>

On Wed, 2021-09-08 at 13:13 +0100, Tim Woodall wrote:
> This is a bit tongue in cheek, but how about these sites where the
> .debs are downloaded from publish their *private* key? They openly
> accept that anyone can MITM them.

If you have access to the private key, you can request the CA to revoke
the certificate:

+---
| 4.9.1.1 Reasons for Revoking a Subscriber Certificate
|
| The CA SHALL revoke a Certificate within 24 hours if one or more of
| the following occurs:
| [...]
| 3. The CA obtains evidence that the Subscriber’s Private Key
| corresponding to the Public Key in the Certificate suffered a Key
| Compromise
+---[ https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf ]

So that would not be helpful.

Ansgar

Reply to:

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Tim Woodall <debiandevel@woodall.me.uk>

Prev by Date: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by Date: Re: Require packages to build without any configured DNS
Previous by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread