Re: Fwd: Fwd: question regarding verification of a debian installation iso
On Mon, Jan 03, 2011 at 03:42:42AM +0100, Naja Melan wrote:
> > You've downloaded a bunch of certificates that came with your web browser.
> > Why do you trust them?
> >
>
> As I pointed out above there are many problems associated with https.
> Trusting the root certificates is one of those. Still the level of trust I
> have in them comes from:
>
> a) getting them shipped to me in a "secure" or at least "somewhat secure"
> way (which is the whole point of this thread, remember)
Is that because you can buy the OS in a store? Was it pre-installed?
If it's a microsoft product, did you check this nice hologram on
the DVD? Or maybe microsoft has a hash of their DVDs on it's
website? (For msdn subscribers you now can't even get the DVDs
anymore and need to download things as far as I know.)
> b) some trust in the certification authorities and everyone that is supposed
> to check them, like auditors and browser/OS developers
I have very limited trust in the CAs.
> c) some trust in developers that store and distribute them, like browser/OS
> developers to do that in a safe way
[...]
> Currently I'm installing fedora, because it seems that that is as good as it
> gets with https. Their site is very neat and informative in verifying their
> downloads, it all comes over certified https even extra tools like the
> liveusb-creator. This gives me at least a higher sense of trust than the
> current debian situation.
Personally I have a higher trust in what Debian is shipping
because I know how things work in Debian and I've met all
the people involved and probably signed their keys myself.
So I think your problems are:
- The main website doesn't have https (because it's mirrored)
- You don't trust our CA because your browser/OS doesn't have it.
- The instructions to verify things might need to be updated.
Kurt
Reply to: