"Robin H. Johnson" <[EMAIL PROTECTED]> posted [EMAIL PROTECTED], excerpted below, on Thu, 27 Sep 2007 17:10:48 -0700:
> If there aren't too many AND we can get a dedicated IP for each of those > services, I'd like to suggest the following, as an easily doable and > low-overhead (in terms of Trustees/paperwork) solution: > > 1. On the services identified, get extra IPs, and use the free GoDaddy > certs. > 2. On other services use the Gentoo-CA approach. There's probably a reason this won't work, since I've yet to see it brought up here and it's not mentioned on the bug either, but hey, I don't know said reason, and it's worth the shot... Would it be possible to setup a gentoo-certs package, versioned like any other, with USE flags if necessary for installing where various browsers, etc can see them? The idea being, any time a certificate changes you create a new version of gentoo-certs. "Security-clueless" users can simply be told about this package, and should reasonably quickly get the idea of checking for an upgrade any time they get a security warning. Certs in this package would then be accepted by default, while allowing users the option of installing the package or not, plus the possible USE flags, as well as configuring their browser manually to reject the certs, if desired. That would be easier in some ways and harder in others, than setting up a full Gentoo-CA. However, Gentoo devs deal with packages every day, while I doubt many deal with CA signing every day (umm... from the bug it looks like a couple devs do... enough anyway if not every day), so it might be more routine and thus easier for Gentoo to go the package route, even if it's harder in the absolute. I'd think "you need to merge or update this package" would suffice for the "security-clueless", while the "security-clueful" already know the deal, so no big deal for them, tho it'd lessen the hassle factor for them as well. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- [EMAIL PROTECTED] mailing list
