On Mon, Jan 03, 2011 at 03:42:42AM +0100, Naja Melan wrote: > > You've downloaded a bunch of certificates that came with your web browser. > > Why do you trust them? > > > > As I pointed out above there are many problems associated with https. > Trusting the root certificates is one of those. Still the level of trust I > have in them comes from: > > a) getting them shipped to me in a "secure" or at least "somewhat secure" > way (which is the whole point of this thread, remember)
Is that because you can buy the OS in a store? Was it pre-installed? If it's a microsoft product, did you check this nice hologram on the DVD? Or maybe microsoft has a hash of their DVDs on it's website? (For msdn subscribers you now can't even get the DVDs anymore and need to download things as far as I know.) > b) some trust in the certification authorities and everyone that is supposed > to check them, like auditors and browser/OS developers I have very limited trust in the CAs. > c) some trust in developers that store and distribute them, like browser/OS > developers to do that in a safe way [...] > Currently I'm installing fedora, because it seems that that is as good as it > gets with https. Their site is very neat and informative in verifying their > downloads, it all comes over certified https even extra tools like the > liveusb-creator. This gives me at least a higher sense of trust than the > current debian situation. Personally I have a higher trust in what Debian is shipping because I know how things work in Debian and I've met all the people involved and probably signed their keys myself. So I think your problems are: - The main website doesn't have https (because it's mirrored) - You don't trust our CA because your browser/OS doesn't have it. - The instructions to verify things might need to be updated. Kurt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110103153011.ga21...@roeckx.be
