On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst <w...@uter.be> wrote: >Op zondag 20 juli 2014 09:23:55 schreef u: >> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: >> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM >> > people.debian.org then due to DANE you can MITM it for HTTP as well as >> > HTTPS, so forcing HTTPS really doesn't gain you much. >> >> But that implies that the attacker has access to private keys, and in >> this >> case you are so screwed. > >My point exactly: if someone can somehow MITM people.debian.org they >have access to private key material that they shouldn't have access to.
I might me missing something, and I admit not having read the entire thread, but how would they have access to private key material? _My_ GPG key has never been near people.debian.org, and I suspect that key ring management would (rightfully!) promptly kick any public key whose private key was found on p.d.o out of the keyring. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x8nzn-0007a3...@swivel.zugschlus.de
