On 2014-06-17 13:20:59 +0100, Simon McVittie wrote: > It should be possible to make a CA certificate that is only considered > to be valid for the spi-inc.org and debian.org subtrees, and then trust > the assertion that SPI control that certificate - but in widely-used > applications, that isn't possible. If SPI can sign certificates for > debian.org, then they can also sign certificates for my bank, and my > browser will think those are just as valid.
I agree. However I don't think that the particular case of a Debian Root CA would be a problem, since you must absolutely trust it. If something bad happens at this level, this would mean that downloaded packages from debian.org may actually be compromised ones, and in such a case, your whose machine should be regarded as compromised. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140618130058.ga17...@ypig.lip.ens-lyon.fr
