>> HTTPS is not a verified channel. Our current CA system is really >> fragile > > It is, but it works a lot better than the PGP web of trust in that it > doesn't require people to get together to engage in quaint key signing > rituals.
PGP has a web of trust but in our CA anyone with intermediate that is trusted can impersonate anyone they want and no one would notice unless they manually go and check who has signed the server cert. Unfortunately we don't have anything that would work better than key signing rituals and the CA system we have is objectively worse in every way except in that the keys are already trusted and the user doesn't have to even know they are there, and even this can be seen as a negative thing for security. > Signing the installer script would provide only a minor increase in > security (in that it would require the signing key to be compromised, > rather than the nixos.org certificate). I don't object to doing that > though. That is quite a major increase in security actually. Compromising a key that can be kept offline most of the time is a lot harder than obtaining a signed certificate for the nixos.org domain. You do not have to have the original nixos.org certificate to perform man-in-the-middle attack. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
