* Luca Filipozzi <lfili...@debian.org> wrote: > On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote: > > Thanks, I just reset the password on my account only to realize that > > SSL is not being used by default on wiki.d.o. > > Yes. :/ > > > Surely this will be fixed in the very near future? > > DSA and DWA are in discussion about enforcing encryption at all > authentication points. We're currently debating the pros/cons of > using a commercial SSL cert vs a Debian SSL cert. Given the dubious > value of commercial certificates, I'm in favour of the latter but I > appreciate that some users will find the browser warnings to be > confusing.
Coincidentally, I'm taking a break from rolling out a new (internal only) PKI infrastructure at $work to write this e-mail. Enforcing encryption at any/all authentication points is something that, I hope, should not even need discussing. It should be enabled at any such points. If money wasn't a concern, I'd be in favor of rolling out commercial certificates everywhere simply to avoid any of the browser warnings. I'll admit ignorance when it comes to not knowing how or where Debian uses SSL certificates on public-facing infrastructure (although a quick check seems to indicate SSL isn't enabled on www.d.o), but I see no reason why certificates signed by SPI's CA (whose certificate is included in ca-certificates) could not be used. Alternatively, perhaps certificates from CAcert.org for public-facing services (does anyone besides Debian include their root CA certificate) and certificates from a private CA for use on "Debian internal" services? Obviously, there are a number of things to consider; I'm simply tossing out ideas at this point. > OTOH, I'd argue that if one wishes to maintain content at > wiki.debian.org, then one should understand the basics of PKI. What > do you think? Agree. Being technical folks, I would guess that a large number of Debian users *do* understand the basics of PKI and why a certificate signed by a commercial CA is not technically "more secure" than one signed by a private CA. For those who don't, well, they should be able to understand why after ten minutes of reading. -- Jeremy Gaddis -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107024611.gb10...@hq.evilrouters.net
