For apt-get a self-signed certificate could be used which comes together with Debian. No CA required. This is both simpler and safer.
Vipul Agarwal: > How about if we use a SSL certificate signed by debian's own root CA which > can be shipped with the distros? This will eliminate the paranoia about NSA > having control over the existing CA especially the one based in the States. > > -Vipul > On Oct 29, 2013 4:18 AM, "Volker Birk" <[email protected]> wrote: > >> On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote: >>> It's a bit ironic that the Debian security site doesn't offer SSL, right? >>> If an attacker can MITM an organization that uses Debian, then they can >>> MITM the Debian security page and control what security bulletins that >>> organization can access. >> >> BTW: if the NSA take one single trusted CA (and they did for sure), >> HTTPS is b0rken for each site. >> >> Yours, >> VB. >> -- >> Volker Birk >> Oberer Graben 4, 8400 Winterthur, Schweiz >> mailto:[email protected] http://fdik.org >> > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
