Michael Catanzaro wrote:
On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Well I think you could choose to do that, or you could choose to use
it as an additional security measure on
Michael Catanzaro wrote:
I'm confused on one point: why would the user ever want to turn off
DNSSEC validation (except to get past a for captive portal)? It sounds
like you have no shortage of safeguards in place to make sure this
always works: for it to break the user would have to be on a
On 10 Jul 2015, at 15:40, Björn Persson wrote:
Michael Catanzaro wrote:
On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Well I think you could choose to do that, or you could choose to
On 2.7.2015 17:56, Michael Catanzaro wrote:
On Thu, 2015-07-02 at 16:38 +0200, Reindl Harald wrote:
this type of attitude?
everybody who reads IT news over the past years about CA's issued
certificates even for Google knows that a CA signed certificate does
not
prove anything - the real
On 3 Jul 2015, at 10:44, Michael Catanzaro wrote:
On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
For the record, and all this can be solved by DNSSEC + DANE. See RFC
6698.
I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if
On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
For the record, and all this can be solved by DNSSEC + DANE. See RFC
6698.
I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if either the certificate chain
doesn't check out or DANE
And dnssec-validator.cx for a Firefox/chrome plugin that you can see in action
against fedoraproject.org that already deploys this
Sent from my iPhone
On Jul 3, 2015, at 10:43, Petr Spacek pspa...@redhat.com wrote:
On 2.7.2015 17:56, Michael Catanzaro wrote:
On Thu, 2015-07-02 at 16:38
On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Well I think you could choose to do that, or you could choose to use it
as an additional security measure on top of traditional certificate
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald h.rei...@thelounge.net wrote:
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually USE
that option you so reluctantly
On Thu, Jul 02, 2015 at 04:04:37PM +0200, drago01 wrote:
a self signed certificate is exactly as secure as a CA certificate you pay
for after there are hundrets and thousands by default trusted CA's in the
browsers with the only difference you have to accept it once
No its not. Because
Am 02.07.2015 um 16:04 schrieb drago01:
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald h.rei...@thelounge.net wrote:
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually
- Original Message -
snip
*lol* and with a CA certificate you can?
A lot of us are sick of this type of attitude on fedora-devel, to
the point where we don't actually care what you think anymore. Take
this as an opportunity to read instead of jumping at people's throat
with an attitude
Am 02.07.2015 um 16:33 schrieb Bastien Nocera:
- Original Message -
snip
*lol* and with a CA certificate you can?
A lot of us are sick of this type of attitude on fedora-devel, to
the point where we don't actually care what you think anymore. Take
this as an opportunity to read
Am 02.07.2015 um 16:16 schrieb Reindl Harald:
Am 02.07.2015 um 16:04 schrieb drago01:
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good
In any case, this is drifting significantly off-topic. Anyone
interested in continuing it further, please use other venues.
--
Matthew Miller
mat...@fedoraproject.org
Fedora Project Leader
--
devel mailing list
devel@lists.fedoraproject.org
Am 02.07.2015 um 00:40 schrieb Paul Wouters:
On Tue, 30 Jun 2015, Michael Catanzaro wrote:
What we basically do not want is to give the user an option for turning
a security feature off.
That's the same as saying remove the continue anyway frmo the browser.
Only the human can determine if it
On Tue, 30 Jun 2015, Bastien Nocera wrote:
Once DNSSEC is more widely deployed
What is more widely deployed ?
http://www.internetsociety.org/deploy360/wp-content/uploads/2013/04/2015-06-19-2015-06-19.png
There are 991 zones in the root and 814 are signed and securely delegated.
On Wed, 2015-07-01 at 18:40 -0400, Paul Wouters wrote:
That's the same as saying remove the continue anyway frmo the
browser.
Yeah, I want to do that too; actually I added it to Epiphany myself,
not because it's a good idea, but because I know we'll be in for
complaints otherwise, because
On Tue, 30 Jun 2015, Michael Catanzaro wrote:
I'm confused on one point: why would the user ever want to turn off
DNSSEC validation (except to get past a for captive portal)? It sounds
like you have no shortage of safeguards in place to make sure this
always works: for it to break the user
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually USE
that option you so reluctantly implemented? :)
Actually, I honestly don't remember ever using it except testing it
during development. I just don't visit broken sites.
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually USE
that option you so reluctantly implemented? :)
Actually, I honestly don't remember ever using it except testing it
Am 02.07.2015 um 02:13 schrieb Michael Catanzaro:
On Thu, 2015-07-02 at 00:44 +0200, Reindl Harald wrote:
the more important question: who do gnome developers think they are
to
make such decisions?
Hi Reindl,
If you know enough about TLS to decide whether to click the Load Anyway
button in
On Wed, 1 Jul 2015, Michael Catanzaro wrote:
Date: Wed, 1 Jul 2015 19:26:55
From: Michael Catanzaro mcatanz...@gnome.org
To: devel@lists.fedoraproject.org
Subject: Re: dnssec-trigger + GNOME + NetworkManager integration
On Wed, 2015-07-01 at 18:40 -0400, Paul Wouters wrote:
That's the same
On Thu, 2015-07-02 at 00:44 +0200, Reindl Harald wrote:
the more important question: who do gnome developers think they are
to
make such decisions?
Hi Reindl,
If you know enough about TLS to decide whether to click the Load Anyway
button in your browser on a particular site, or enough about
- Original Message -
snip
No, it is not. It is opt-in now, we want it by default. Please read the
change. Thank you.
I don't see any options about it in GNOME's Network panel. I'm not interested
in integration as an after-thought.
I think it best to stop this dead-end discussion
On 30.06.2015 11:24, Tomas Hozza wrote:
On 26.06.2015 17:13, Matthias Clasen wrote:
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the GNOME networking UI
relies on information
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some attacker's.
The insecure mode means that you are vulnerable in the same way as the
On 30.06.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some attacker's.
The insecure mode means that
On 30.6.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some attacker's.
The insecure mode means that
On 30.06.2015 13:46, Stef Walter wrote:
On 30.06.2015 11:24, Tomas Hozza wrote:
On 26.06.2015 17:13, Matthias Clasen wrote:
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the
- Original Message -
On 30.6.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some
On 30.06.2015 13:58, Stef Walter wrote:
On 30.06.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some
- Original Message -
On 30.06.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some
On 30.06.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but instead by some attacker's.
The insecure mode means that
On 30.06.2015 14:11, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 13:53, Bastien Nocera wrote:
- Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
snip
It means that the site of your bank you are on may not be provided the
actual host you should
On 30.06.2015 14:37, Bastien Nocera wrote:
- Original Message -
snip
No, it is not. It is opt-in now, we want it by default. Please read the
change. Thank you.
I don't see any options about it in GNOME's Network panel. I'm not interested
in integration as an after-thought.
On 30.06.2015 16:07, Michael Catanzaro wrote:
On Tue, 2015-06-30 at 11:24 +0200, Tomas Hozza wrote:
The thing is that some information are unrelated to NM. There is no
reason to push all information back to NetworkManager, since its role
is
explicitly defined - manage network connections and
On Tue, 2015-06-30 at 11:24 +0200, Tomas Hozza wrote:
The thing is that some information are unrelated to NM. There is no
reason to push all information back to NetworkManager, since its role
is
explicitly defined - manage network connections and leave the DNS
resolution and configuration up
On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
Except that this is exactly what we DON'T want to do. DNSSEC is an
extension of DNS and it can be used even without the need for the
whole
Internet to be signed. We want to use it even if the network-provided
DNS resolvers don't support
On 30.06.2015 16:07, Michael Catanzaro wrote:
On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
Except that this is exactly what we DON'T want to do. DNSSEC is an
extension of DNS and it can be used even without the need for the
whole
Internet to be signed. We want to use it even if
On 30.06.2015 16:50, Tomas Hozza wrote:
On 30.06.2015 16:07, Michael Catanzaro wrote:
On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
Except that this is exactly what we DON'T want to do. DNSSEC is an
extension of DNS and it can be used even without the need for the
whole
Internet
On 26.06.2015 17:13, Matthias Clasen wrote:
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the GNOME networking UI
relies on information gotten from NetworkManager, and we'd
- Original Message -
snip
GNOME shell also launches a browser when needed for captive portal
login. If we need to tweak the way the browser is launched to make it
work on a dnssec-enabled system, that should be possible.
Unfortunately on my system it doesn't launch browser, but
- Original Message -
Hello,
On Tuesday, 23 June 2015 10:13 PM, Tomas Hozza wrote:
Now we know that we have at least 3 components on the system, that are
trying to do the same thing - Captive Portal detection:
- dnssec-trigger
- NetworkManager
- GNOME Shell
We don't
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the GNOME networking UI
relies on information gotten from NetworkManager, and we'd like to keep
it that way. In particular,
On Jun 26, 2015 6:14 PM, Matthias Clasen mcla...@redhat.com wrote:
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the GNOME networking UI
relies on information gotten from
Hello,
On Tuesday, 23 June 2015 10:13 PM, Tomas Hozza wrote:
Now we know that we have at least 3 components on the system, that are
trying to do the same thing - Captive Portal detection:
- dnssec-trigger
- NetworkManager
- GNOME Shell
We don't have a problem with turning the detection
Hi all.
I would like to start a new fresh discussion where we can hopefully
converge towards successful integration of default DNS resolver with
NetworkManager on Fedora Workstation (GNOME).
I think there are (at least) two major issues that need to be resolved:
- system-wide Captive Portal
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
I hope that GNOME Shell somehow only displays the state provided by
NM.
Bastien, please correct me if I'm wrong and please elaborate on the
details of what the functionality does (e.g. if you launch a new
browser
or so).
Yes, that's
49 matches
Mail list logo
