On Wed, 30 Oct 2013 09:59:39 +0000 adrelanos <adrela...@riseup.net> wrote:
> For apt-get a self-signed certificate could be used which comes together > with Debian. No CA required. This is both simpler and safer. Maybe I'm missing something, but the security of the apt system has nothing to do with SSL - it uses GPG signatures. This discussion about SSL concerns the website, etc. > Vipul Agarwal: > > How about if we use a SSL certificate signed by debian's own root CA which > > can be shipped with the distros? This will eliminate the paranoia about NSA > > having control over the existing CA especially the one based in the States. > > > > -Vipul > > On Oct 29, 2013 4:18 AM, "Volker Birk" <v...@pibit.ch> wrote: > > > >> On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote: > >>> It's a bit ironic that the Debian security site doesn't offer SSL, right? > >>> If an attacker can MITM an organization that uses Debian, then they can > >>> MITM the Debian security page and control what security bulletins that > >>> organization can access. > >> > >> BTW: if the NSA take one single trusted CA (and they did for sure), > >> HTTPS is b0rken for each site. > >> > >> Yours, > >> VB. > >> -- > >> Volker Birk Celejar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131030075125.022d6d356fe495d58b1c0...@gmail.com