On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner <h...@at.or.at> wrote: > > SSH uses entirely unsigned keys, and it has proven a lot more reliable than > HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires > signed keys, self-signed works. The signatures are only worth the trust path > behind them, and CAs have not proven to be reliable trust paths. So if you > can't rely on the signatures, why bother using them? This is not just my > opinion, but of many others. Google uses SPKI pinning heavily, for example, > but they still use CA-signed certificates so their HTTPS works with Firefox, > IE, Opera, etc. >
SSH is hand verified when you connect initially (thus creating a “signature”). Are you are going to hand-verify each signature / key? And then against what? Why not just verify the CD download once and be done with it? If you are paranoid, build a trust relationship with a mirror that provides SSL and save their cert. Anyway, I’m really over this. Have a good day. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/3d3dc714-4833-47c3-89aa-d42b14d22...@vianet.ca
