Re: TLS encrypted source for Debian iso signing keys?

To: debian-user@lists.debian.org
Subject: Re: TLS encrypted source for Debian iso signing keys?
From: Andrei POPESCU <andreimpopescu@gmail.com>
Date: Fri, 6 Jul 2012 17:08:05 +0300
Message-id: <[🔎] 20120706140805.GA5406@sid.nuvreauspam>
In-reply-to: <[🔎] 1341274899.14718.140661097029829.12038EE2@webmail.messagingengine.com>
References: <[🔎] 1341274899.14718.140661097029829.12038EE2@webmail.messagingengine.com>

On Lu, 02 iul 12, 17:21:39, anotst01@fastmail.fm wrote:
> 
> Posting gpg signing keys works for many other websites. How it works and
> how I suggest...
> - Go to https://some-project-website.com.
> - Some root CA vouches for the identity of some-project-website.com.
> - The author posts his gpg public key (fingerprint) somewhere on
> https://some-project-website.com.
> - The root CA proofes that the gpg public key belongs to the admin of
> some-project-website.com. (Possible breach in server security or root
> CA.)
> - The fingerprint was authenticated over SSL and at least the root CA
> vouched for it, better than no one.

No it is not authenticated. If someone breaks into the webserver and 
replaces the fingerprint you would not notice it.

Kind regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: TLS encrypted source for Debian iso signing keys?
  - From: anotst01@fastmail.fm

Prev by Date: Re: pam_winbind.so missing when upgrade to wheezy/sid
Next by Date: Re: ot: slightly, is debian tied to a nonprofit?
Previous by thread: Re: TLS encrypted source for Debian iso signing keys?
Next by thread: ot: slightly, is debian tied to a nonprofit?
Index(es):
- Date
- Thread