Re: About GPG-signing the public RSA keys of Debian machines

To: debian-security@lists.debian.org
Cc: debian-admin@lists.debian.org
Subject: Re: About GPG-signing the public RSA keys of Debian machines
From: Florent Rougon <f.rougon@free.fr>
Date: Wed, 11 Oct 2006 21:22:49 +0200
Message-id: <[🔎] 87wt768xo6.fsf@florent.maison>
Mail-followup-to: debian-security@lists.debian.org, debian-admin@lists.debian.org
In-reply-to: <[🔎] 20061010221616.GA22693@roeckx.be> (Kurt Roeckx's message of "Wed, 11 Oct 2006 00:16:16 +0200")
References: <[🔎] 871wph1he2.fsf@florent.maison> <[🔎] 20061010171546.GA17072@roeckx.be> <[🔎] 87r6xg0wr6.fsf@florent.maison> <[🔎] 20061010221616.GA22693@roeckx.be>

Hi,

I appreciate your help (Joerg, David and Kurt), but there is still a
problem to solve before I can trust my connection to db.debian.org via
HTTPS.

Kurt Roeckx <kurt@roeckx.be> wrote:

> So Joerg just replaced them with the new ones:
> http://www.spi-inc.org/secretary/spi-ca.crt
> http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt

OK, I downloaded these, verified the first using the second, and
imported the first one in both firefox and galeon.

Then, when I point galeon or firefox to https://db.debian.org/, I get
the usual message saying the certificate is not trusted. The reason is
that the certificate I imported
(http://www.spi-inc.org/secretary/spi-ca.crt) is *not* the same as the
one advertised by db.debian.org: the former expires in 2016 (!) and has
the following SHA1 fingerprint:

  D4:CB:C2:DE:8A:CE:1C:4E:4C:96:17:AA:DC:BD:9E:BA:FB:66:2C:94

while the latter expires in 2007 and has this SHA1 fingerprint:

  AA:50:E3:2F:6E:AE:40:91:CB:F8:...

(cannot copy/paste from the firefox dialog box! :-/)

> They're both part of the ca-certificates package in testing and
> unstable:
> new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
> old: /etc/ssl/certs/spi-ca.pem

It appears that http://www.spi-inc.org/secretary/spi-ca.crt and
/etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files.
Why do they have different extensions? This is very confusing.

>>   % md5sum /etc/ssl/certs/spi-ca.pem
>>   33922a1660820e44812e7ddc392878cb  /etc/ssl/certs/spi-ca.pem
>
> As pointed out by others, you can get to it using openssl.

I had thought about that, but grepping for fingerprint in openssl(1ssl)
doesn't bring anything. :-(

> But you can also try and import the key in your browser, and they say
> examine/view certificate, at which point it should show you the
> MD5 sum and SHA1 sum too.

Right, that's the easiest way. Works in galeon and firefox.

> The fingerprint of an ssh key is also something you don't check by
> running md5sum on a id_rsa.pub file, you use ssh-keygen -l for it.

True, but grepping for fingerprint in ssh(1) gives the answer as the
first hit.

> But it's alot handier that the whole public key is also available
> on the website.

I'm not sure I understand you here. The public RSA keys *are* available.
The problem is trusting them. I proposed GPG-signing them, but using SSL
is another way.

Thanks.

PS: sorry for the delays when answering; I have a very busy week...

-- 
Florent

Reply to:

Follow-Ups:
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: [SECURITY] [DSA 1195-1] new openssl096 packages fix denial of service
Next by Date: Re: About GPG-signing the public RSA keys of Debian machines
Previous by thread: Re: About GPG-signing the public RSA keys of Debian machines
Next by thread: Re: About GPG-signing the public RSA keys of Debian machines
Index(es):
- Date
- Thread