Hi, Russell Stuart: > This looks like pinning under another name to me. And quoting you > above, in this very same email, you say pinning is too hard because you > have to "hard code all the single Debian host certs in all programs that > use TLS/SSL (or at least with Debian services)". And yet now you say we > have to do this anyway! > The difference is that while pinning a bunch of certificates is indeed a lot of on-going work, pinning the CA cert used to sign these is not (set up the CA and install it into our software once, sign server certificates with that forevermore).
-- -- Matthias Urlichs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140624062942.ga27...@smurf.noris.de
