On Fri, 10 May 2013, Paul Wise wrote: > On Fri, May 10, 2013 at 4:33 AM, Russ Allbery wrote: > > > That level of security isn't great, though. GPG keys are much more secure > > than that password. What we would want for equivalent security in a web > > interface is personal X.509 certificates. > > > > I think it would be interesting to have that infrastructure in place, but > > someone would need to build it (probably with some mechanism to bootstrap > > GPG keys into X.509 certificates -- and be careful of expiration times and > > figure out a good way to deal with revocation). > > That mechanism already exists (and supports SSH too): > http://web.monkeysphere.info/
I don't think that you're speaking of the same thing. I see no information about "X.509 client certificates" in Monkeysphere. It offers ways to validate the server certificate (if it's not signed by known CA) but it doesn't seem to offer any solution to manage client certificate. That said, we already have http://sso.debian.org (http://wiki.debian.org/DebianSingleSignOn) that we should aim to leverage for authentication. And if it's not secure enough (and IIRC DSA doesn't want people to use this SSO for sensitive operations), then that's the single point where we should improve our infrastructure. Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130510061621.ga16...@x230-buxy.home.ouaza.com
