On Seg, 03 Jan 2011, Eduardo M KALINOWSKI wrote:
2. Some linux distro's I see now do have certified https, like fedora which
puts gpg fingerprints (SHA1) of their public keys on their certified
website.
3. Other distros have md5 hashes over certified https, like ubuntu.
(virtually a shared fourth place with debian)
Do you trust Verisign or the issuer of the http certificate?
And also: if you trust them, are you sure the certificate you have in
your machine for verification is the actual certificate?
You could go to the issuer's site and look for the fingerprint for
verification. But how can you be sure that the fingerprint is
legitimate? SSL can't help you here because of the chicken and egg
problem.
--
All rights reserved.
Eduardo M KALINOWSKI
edua...@kalinowski.com.br
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20110103091443.72616hkehqli3...@mail.kalinowski.com.br
