On 26/07/2017 6:20 AM, Adam Borowski wrote:
https provides no protection against targetted attacks by government agents. The CA cartel model consists of 400+ CAs, many of them outright controlled by governments, most of the rest doing what they're told (no, warrants are are a story for nice kids). Clients in general trust _any_ CA, which means you're only as secure as the worst CA. Ie, https protects you against Joe Script Kiddie but not against a capable opponent.
Except there are new-ish ways to limit the scope from 400+ CAs to just the one you use.
Certification Authority Authorization (CAA) DNS Resource
... if APT wishes to support this.
Description: OpenPGP digital signature