On Sun, 23 Jan 2011 20:22:34 -0600 Raphael Geissert wrote: > Michael Gilbert wrote: > > There is no need to worry about additional load on the mirrors since > > the only thing that needs to be verifiable are the checksums > > themselves, and that could easily be hosted on a centralized https > > server separate from the mirror system. > > The Debian CDs and the Archive Signing keys can be found at keyring.d.o
Right, I suppose that even the checksums themselves don't need to be served over https (as long as they're signed by an official key that can be obtained in a secure manner; via web of trust, over https, or otherwise). > Additionally, the archive signing key can be found at: > https://ftp-master.debian.org/keys.html The problem from Naja's perspective is that the SPI cert was not issued by a CA, and for (some) users outside the web of trust that in itself is a non-starter. In that sense, an official CA cert would be a modest improvement in security (even with all of its flaws/shortcomings); although the ideal solution would be to get the user to become a part of the web of trust. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110123221136.61cc6950.michael.s.gilb...@gmail.com