On Tue, 2014-06-24 at 08:29 +0200, Matthias Urlichs wrote: > The difference is that while pinning a bunch of certificates is indeed a > lot of on-going work, pinning the CA cert used to sign these is not (set up > the CA and install it into our software once, sign server certificates with > that forevermore).
If that is a huge problem you just pin the CA's cert. The assertion you are making is: all .debian.net/.debian.org's must be signed by this root. To compromise Debian the attacker must compromise a CA Debian chooses, not a CA of their choice. It's not a new idea - Certificate Patrol already does it.
signature.asc
Description: This is a digitally signed message part
