[ I think debian-admin have read enough about my request by now, so if you reply about verifying certificates and such, please consider dropping the CC. Thanks. ]
Kurt Roeckx <[EMAIL PROTECTED]> wrote: > See: > http://lists.debian.org/debian-project/2006/07/msg00056.html > Which has the key in it, and is signed by James Troup. Good, thanks. IMHO, this mail should have been sent to dda, as happened with the compromize of 2003. This time, there was a mail to dda, ending with "We'll post more info as soon as we reasonably can", and nothing followed... for those who read dda and not -project. I did search through dda before starting this thread, and couldn't find what I was looking for (i.e., the new RSA key in a GPG-signed mail). > Most Debian hosts should have an /etc/ssh/ssh_known_hosts with all host > keys in. I suggest you read: > http://db.debian.org/doc-hosts.html I had read that before starting the thread of course, but that doesn't point to GPG-signed RSA keys. > Anyway, if you don't trust db.debian.org, how did you log in the > first time to any Debian machine? The first time, yes, I had to trust the advertised key (I checked there was nothing obviously weird with the DNS data, but that's about it). However, this is not a reason to be careless when ssh warns you about the server using a new key. And you're actually reinforcing my point: had the RSA keys been available in a GPG-signed message on db.debian.org, I would not have had to blindly accept the key the first time. > I assume you've used https and that you verified the certificate? > And saw that it was issued by SPI? And then you looked up SPI's > certificate? And you found that there is a text file with the SHA1 and > MD5 sum signed by Wichert Akkerman? Unfortunately, I'm not that competent with certificates. I already wrote I gave up when asked whether I trusted some entity in Brazil I had never heard about. > For those that don't know those files: > http://www.spi-inc.org/secretary/spi-ca.crt > http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt I didn't know these URLs, and I wouldn't bet they are well-known among DDs... Anyway, I can verify the GPG sig of spi-ca-fingerprint.txt, but then I don't know what the MD5 and SHA1 sums in it correspond to. The file contains: MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5 but unfortunately: % md5sum /etc/ssl/certs/spi-ca.pem 33922a1660820e44812e7ddc392878cb /etc/ssl/certs/spi-ca.pem And reading /etc/ssl/certs/spi-ca.pem is not very enlightening: -----BEGIN CERTIFICATE----- MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UE [...] iexO/AlorB49KnkFS7TjCAoLOZhcg5FaNiKnlstMI5krQmau1Qnb/vGSNsE/UGms 1ts+QYPUs0KmGEAFUri2XzLy+aQo9Kw74VBvqnxvaaMeY5yMcKNOieY= -----END CERTIFICATE----- It would be nice to have the whole procedure for verifying the authenticity of the certificates documented somewhere... Thanks for your reply. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
