-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Am Di den 1. Apr 2014 um 9:06 schrieb Thijs Kinkhorst: > On Tue, April 1, 2014 08:57, Klaus Ethgen wrote: > > Hmmm, for some reason someone changed the certificte of bugs.debian.org > > to a unknown certificate issuer so "bts show" does not work anymore. Who > > the hell is GANDI CA? > > You're kidding right, maybe because of the date? The Gandi CA is signed by > the UTN Userfirst root CA which is in ca-certificates. Your whole argument > revolves around the fact that a certificate must be in ca-certificates for > you to be able to use/trust it. However, if the BTS uses a CA that is > actually included in ca-certificates, you throw up your arms in the air? > I'm really at a loss here. Hmm.. A bit OT to this bug but only a bit. Well, I have only trusted CAs enabled in ca-certificate and the spi as it was used before for debian sites. However, I had a bad feeling at this CA as I cannot check there trustability. "UTN Userfirst" is completely unknown for me. So I don't had enabled it. But I might be one of the only people that selects which CAs to trust and which not. It is really a problem with that intermediate certificates. But this problem lies in ssl/tls at all. Its a structural problem. But when we are at the point that it is a application fault not to allow single certificates, then we can count bts itself in as it only tells the user that it is not able to connect to b.d.o. And to go back fully to topic. As I told before, I do not say to include cacert _and_ enable it by default. Just have it in the package and leaving it to the admin to decide to enable it. > > No, it's a wget problem that you can only specify to not check any > > certificate or check any (--no-check-certificate). There is no way to > > only skip this particular certificate from one side. > > There is. How to add certificates to the trusted store is documented in > ca-certificates and has also been explained in this bug. Hmm. Not with wget alone. True, you can include it in /etc/ssl (/usr/local/...) but you cannot just accept an wget connection by checking the fingerprint. including it in usr_local for ca-certificates is an admin decision. The user using wget has no such way. > > I just gave the examples I use on a daily base. For normal users there > > are similar programs. However, I saw also mutt users that just gave a > > fuck about the fingerprint they are provided with and just accepted it. > > I agree that these users exist. However, if they accept anything, then > they are by definition not influenced by what is in ca-certificates or > not. Any attacker will already be able to control their connection. Thats true, but _what_ is the reason that such users exists? Its the fact that they was getting asked too often for stuff that could be handled without asking. Its the same problem that firefox is fighting by making the accepting of unknown certificates just one or two clicks more. But the real problem is to lull the user with too many questions. And now we have several more questions cause of the removal of cacert. It is the decision of the service provider to use cacert. So that certificate should be trusted by the user. If some other certificate of a MITM pops up, that should trigger an alert. But now also the correct certificate triggers an alert. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.de> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJTOoRzAAoJEKZ8CrGAGfasULML+wdlip5hL6r3I8VAJwkVBuhQ GG8scSq/pfQ9A+G/JGNgsirNadx1qT46AgjwEKwfMwJPhDXdZDfAx3E5UwfSBzyo IlaMeGnYnJll3Ozq3umaMNkYgPcTRM/oCd9VL6Plv6TTB/xib1YVKH6Mvd/82yOm ahFlvcvdst9wijzehX1JEfygw0OvL/SK3Lc0SkGeJjoyebgZfjy6uPyI230ZYLbk 3+4jgEp5It3T7pXw+FBzqqsCOvXbiYUuyMEdZppcngkcDU/ZY7YcfXufW/j5u3Bk 0sL+1LjP9+5cVNQN8EIorKKwDD7e9JZvN9nXvp6znEfW1kJm5wuTlrla4LgPEMbA UGrFwLTKBLcKcLvjIpi27SMKaUkqmcVerm0S+KnbEl0XGyRfhwbX67sxzQoIGcWR SgGPSHD9xI/8fOjwlh9M0AAR+8dg5oicYSkMp3Qc91TZm56epU/exIvNOmiCb8ns Uc7t1OE97nxQQbBuckyTOdNwsLQ6G/uhbkfSCzDncA== =VvY/ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
