Vincent Lefevre <vinc...@vinc17.net> writes: > On 2014-06-17 13:20:59 +0100, Simon McVittie wrote:
>> It should be possible to make a CA certificate that is only considered >> to be valid for the spi-inc.org and debian.org subtrees, and then trust >> the assertion that SPI control that certificate - but in widely-used >> applications, that isn't possible. If SPI can sign certificates for >> debian.org, then they can also sign certificates for my bank, and my >> browser will think those are just as valid. > I agree. However I don't think that the particular case of a Debian Root > CA would be a problem, since you must absolutely trust it. If something > bad happens at this level, this would mean that downloaded packages from > debian.org may actually be compromised ones, and in such a case, your > whose machine should be regarded as compromised. This is only true if the root CA is maintained with the same level of security as the PGP signing key for the archive. While that's something that we could probably do (although it's worth not underestimating how much care goes into maintaining that key), we cannot maintain the same level of security on the individual certificates signed by that CA. In order to use them to secure apt transactions, this necessarily implies distributing the private keys across our mirror network. The signing key for the archive is inherently much easier to secure properly than any user-facing key for a debian.org domain because the signing key for the archive can live on one and only one machine that is secured as tightly as we are capable of securing it and which is under the exclusive control of the relevant core teams in Debian. Because of that, I would much rather find good ways to trust the PGP signatures on the archive than to attempt to do anything with X.509. The trust model and key management properties of X.509 are inherently inferior for our purposes. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/877g4edu77....@windlord.stanford.edu