Re: About GPG-signing the public RSA keys of Debian machines
Hi,
I appreciate your help (Joerg, David and Kurt), but there is still a
problem to solve before I can trust my connection to db.debian.org via
HTTPS.
Kurt Roeckx <kurt@roeckx.be> wrote:
> So Joerg just replaced them with the new ones:
> http://www.spi-inc.org/secretary/spi-ca.crt
> http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt
OK, I downloaded these, verified the first using the second, and
imported the first one in both firefox and galeon.
Then, when I point galeon or firefox to https://db.debian.org/, I get
the usual message saying the certificate is not trusted. The reason is
that the certificate I imported
(http://www.spi-inc.org/secretary/spi-ca.crt) is *not* the same as the
one advertised by db.debian.org: the former expires in 2016 (!) and has
the following SHA1 fingerprint:
D4:CB:C2:DE:8A:CE:1C:4E:4C:96:17:AA:DC:BD:9E:BA:FB:66:2C:94
while the latter expires in 2007 and has this SHA1 fingerprint:
AA:50:E3:2F:6E:AE:40:91:CB:F8:...
(cannot copy/paste from the firefox dialog box! :-/)
> They're both part of the ca-certificates package in testing and
> unstable:
> new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
> old: /etc/ssl/certs/spi-ca.pem
It appears that http://www.spi-inc.org/secretary/spi-ca.crt and
/etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files.
Why do they have different extensions? This is very confusing.
>> % md5sum /etc/ssl/certs/spi-ca.pem
>> 33922a1660820e44812e7ddc392878cb /etc/ssl/certs/spi-ca.pem
>
> As pointed out by others, you can get to it using openssl.
I had thought about that, but grepping for fingerprint in openssl(1ssl)
doesn't bring anything. :-(
> But you can also try and import the key in your browser, and they say
> examine/view certificate, at which point it should show you the
> MD5 sum and SHA1 sum too.
Right, that's the easiest way. Works in galeon and firefox.
> The fingerprint of an ssh key is also something you don't check by
> running md5sum on a id_rsa.pub file, you use ssh-keygen -l for it.
True, but grepping for fingerprint in ssh(1) gives the answer as the
first hit.
> But it's alot handier that the whole public key is also available
> on the website.
I'm not sure I understand you here. The public RSA keys *are* available.
The problem is trusting them. I proposed GPG-signing them, but using SSL
is another way.
Thanks.
PS: sorry for the delays when answering; I have a very busy week...
--
Florent
Reply to: