On Fri, May 29, 2015 at 7:40 AM, Russ Allbery wrote: > I'm fine with locking the doors. I'm not fine with paying protection > money to a Mafia goon who claims they'll lock your windows, and sort of > sometimes does. It's the extortion component that pisses me off about > HTTPS.
LetsEncrypt will save us! > If we can use a Debian-specific CA, we can do cert pinning, since we're > then assuming we have some control over the client. I was assuming a > general client where we'd have to play nice with the normal CA roots. Then we would constantly get complaints from Ubuntu/etc developers/users about why Debian uses invalid certs, as we did before Debian moved to mafia certs. Unfortunately I don't think it is possible to use both mafia CAs and non-mafia CAs without adding say a lot of non-mafia subdomains, like non-mafia.www.debian.org. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6hwjhs3mhehesnkyeijp_yemfp6qpiiucc-rbpyx3t...@mail.gmail.com
