On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner <h...@at.or.at> wrote: > As for how to manage making HTTPS by default, this does not require every > mirror buying HTTPS certificates every year from Certificate Authorities. > There are workable solutions based on self-signed certificates. > > In Android apps, there are two approaches that are gaining traction: > including certificate pins based on the Subject Public Key Info (SPKI) in an > apt in advance (https://www.imperialviolet.org/2011/05/04/pinning.html). And > using "Trust On First Use/Persistence of Pseudonym" aka "Memorizing Trust > Manager" (https://github.com/ge0rg/MemorizingTrustManager) to do ssh-style > trust with a yes/no prompt the first time. These can also be optionally > combined with the classic Certificate Authority, to provide a redundant check. > > We've been thinking about to make this workable, here are some notes: > https://dev.guardianproject.info/projects/bazaar/wiki/Chained_TLS_Cert_Verification > > Or there could be a password-based CA-replacement like http://tack.io
Self-signed? Really? This is full of issues. Just because someone spends time on an idea, doesn’t mean it’s a good one. But this does trigger another idea; Debian could create their own CA for managing the project’s SSL infrastructure. Then we would just need to trust the Debian CA. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8eb7df12-c21b-4a86-a71e-79f4dc0e4...@vianet.ca