]] Christoph Anton Mitterer > A user of Debian already fully trusts us (by using our distro, where we > could do basically everything).
That user trusts us to build a distro fairly competently, something we have a history of doing. > If he ultimately trusts our X.509 root, he doesn't give us more trust, > than he already did. That user would then trust us to run a CA competently, something we as a project don't have a history of doing, so they have no reason to believe we can do so. Running a good CA is not a trivial effort. > Of course this still doesn't solve the problem of e.g. browsers, that > they have gazillions of CAs, and each could issue forged certs for > Debian hosts, but at least it technically allows the user (or programs > like apt-listbugs) to _really fully securely_ contact Debian services > via TLS/SSL with X.509 - something which is not possible with > GANDI/CAcert or any other non-Debian-managed CAs. Either cert pinning or DTLSA records would be better solutions here. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87simyjpgd....@aexonyam.err.no
