The world is in the process of learning just how much the NSA, GCHQ, and the similar organizations of Canada, New Zealand and Australia is doing to subvert ALL encrypted traffic. One thing I read recently, is that it is possible that the NSA (with the other 4 possibly helping) has broken RC4.
Today, after an apt-get update, I see there is a new ca- certificates available. Okay, install it. There is a dialog on my text console for this, do you trust this handful of new certificates? How should I know? The README file (possibly from the June update, since I haven't finished allowing the update to install) says that there is only a single way for updates to get into the Debian system, they must be updates to Mozilla's trust system. Wonderful, how do we evaluate that? As the package is not yet installed, I don't know if there is a changelog entry explaining where these new certificates come from, and why we should trust them. But, the changelog entry from June says that in that update, they are removing an expired certificate from 2007. Is this SOP? Wait 6 years to remove an expired certificate? The certificate knows it is expired. Every time I apt-get update, I get pestered about problems with the QGIS archive key. I tried doing key maintenance with apt-key. All I did was change the error message I get from apt-get update. Maybe when the current QGIS key expires, the update to that will start to work again? It would be nice if say the README.Debian file would provide pointers to tools or protocols to evaluate these certificates. But, if the NSA has broken RC4 and someone can prove it, I would imagine that most certificates in ca-certificates should become invalid very soon. But, cryptanalysis is not my field. Numerical methods is a big chunk of my study. Gord -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201309071747.19905.ghave...@materialisations.com
