On 10 Jul 2015, at 15:40, Björn Persson wrote:
Michael Catanzaro wrote:
On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Well I think you could choose to do that, or you could choose to use
Michael Catanzaro wrote:
> I'm confused on one point: why would the user ever want to turn off
> DNSSEC validation (except to get past a for captive portal)? It sounds
> like you have no shortage of safeguards in place to make sure this
> always works: for it to break the user would have to be on a
Michael Catanzaro wrote:
> On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
> > Isn't the whole point to eliminate the need for third party
> > certificate authorities entirely?
>
> Well I think you could choose to do that, or you could choose to use
> it as an additional security measur
On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
> Isn't the whole point to eliminate the need for third party
> certificate authorities entirely?
Well I think you could choose to do that, or you could choose to use it
as an additional security measure on top of traditional certificate
a
On 3 Jul 2015, at 10:44, Michael Catanzaro wrote:
On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
For the record, and all this can be solved by DNSSEC + DANE. See RFC
6698.
I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if ei
On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
> For the record, and all this can be solved by DNSSEC + DANE. See RFC
> 6698.
I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if either the certificate chain
doesn't check out or DAN
And dnssec-validator.cx for a Firefox/chrome plugin that you can see in action
against fedoraproject.org that already deploys this
Sent from my iPhone
> On Jul 3, 2015, at 10:43, Petr Spacek wrote:
>
>> On 2.7.2015 17:56, Michael Catanzaro wrote:
>>> On Thu, 2015-07-02 at 16:38 +0200, Reindl
On 2.7.2015 17:56, Michael Catanzaro wrote:
> On Thu, 2015-07-02 at 16:38 +0200, Reindl Harald wrote:
>> this type of attitude?
>>
>> everybody who reads IT news over the past years about CA's issued
>> certificates even for Google knows that a CA signed certificate does
>> not
>> prove anything
On Thu, 2015-07-02 at 16:38 +0200, Reindl Harald wrote:
> this type of attitude?
>
> everybody who reads IT news over the past years about CA's issued
> certificates even for Google knows that a CA signed certificate does
> not
> prove anything - the real problem is wehn this happens for Google
In any case, this is drifting significantly off-topic. Anyone
interested in continuing it further, please use other venues.
--
Matthew Miller
Fedora Project Leader
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct:
- Original Message -
> *lol* and with a CA certificate you can?
A lot of us are sick of this type of attitude on fedora-devel, to
the point where we don't actually care what you think anymore. Take
this as an opportunity to read instead of jumping at people's throat
with an attitude tha
Am 02.07.2015 um 16:33 schrieb Bastien Nocera:
- Original Message -
*lol* and with a CA certificate you can?
A lot of us are sick of this type of attitude on fedora-devel, to
the point where we don't actually care what you think anymore. Take
this as an opportunity to read instead o
Am 02.07.2015 um 16:16 schrieb Reindl Harald:
Am 02.07.2015 um 16:04 schrieb drago01:
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald
wrote:
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many t
Am 02.07.2015 um 16:04 schrieb drago01:
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald wrote:
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually USE
that option you so r
On Thu, Jul 02, 2015 at 04:04:37PM +0200, drago01 wrote:
> > a self signed certificate is exactly as secure as a CA certificate you pay
> > for after there are hundrets and thousands by default trusted CA's in the
> > browsers with the only difference you have to accept it once
> No its not. Becaus
On Thu, Jul 2, 2015 at 2:33 AM, Reindl Harald wrote:
>
> Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
>>
>> On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
>>>
>>> Principles are good and well. But how many times did you actually USE
>>> that option you so reluctantly implemented? :)
>
Am 02.07.2015 um 02:13 schrieb Michael Catanzaro:
On Thu, 2015-07-02 at 00:44 +0200, Reindl Harald wrote:
the more important question: who do gnome developers think they are
to
make such decisions?
Hi Reindl,
If you know enough about TLS to decide whether to click the Load Anyway
button in
Am 02.07.2015 um 02:30 schrieb Michael Catanzaro:
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
Principles are good and well. But how many times did you actually USE
that option you so reluctantly implemented? :)
Actually, I honestly don't remember ever using it except testing it
dur
On Wed, 2015-07-01 at 19:59 -0400, Paul Wouters wrote:
> Principles are good and well. But how many times did you actually USE
> that option you so reluctantly implemented? :)
Actually, I honestly don't remember ever using it except testing it
during development. I just don't visit broken sites. T
On Thu, 2015-07-02 at 00:44 +0200, Reindl Harald wrote:
> the more important question: who do gnome developers think they are
> to
> make such decisions?
Hi Reindl,
If you know enough about TLS to decide whether to click the Load Anyway
button in your browser on a particular site, or enough abo
On Wed, 1 Jul 2015, Michael Catanzaro wrote:
Date: Wed, 1 Jul 2015 19:26:55
From: Michael Catanzaro
To: devel@lists.fedoraproject.org
Subject: Re: dnssec-trigger + GNOME + NetworkManager integration
On Wed, 2015-07-01 at 18:40 -0400, Paul Wouters wrote:
That's the same as saying remov
On Wed, 2015-07-01 at 18:40 -0400, Paul Wouters wrote:
> That's the same as saying remove the "continue anyway" frmo the
> browser.
Yeah, I want to do that too; actually I added it to Epiphany myself,
not because it's a good idea, but because I know we'll be in for
complaints otherwise, because F
On Tue, 30 Jun 2015, Bastien Nocera wrote:
Once DNSSEC is more widely deployed
What is "more widely deployed" ?
http://www.internetsociety.org/deploy360/wp-content/uploads/2013/04/2015-06-19-2015-06-19.png
There are 991 zones in the root and 814 are signed and securely delegated.
http://sta
Am 02.07.2015 um 00:40 schrieb Paul Wouters:
On Tue, 30 Jun 2015, Michael Catanzaro wrote:
What we basically do not want is to give the user an option for turning
a security feature off.
That's the same as saying remove the "continue anyway" frmo the browser.
Only the human can determine if i
On Tue, 30 Jun 2015, Michael Catanzaro wrote:
I'm confused on one point: why would the user ever want to turn off
DNSSEC validation (except to get past a for captive portal)? It sounds
like you have no shortage of safeguards in place to make sure this
always works: for it to break the user would
On 30.06.2015 16:50, Tomas Hozza wrote:
>
>
> On 30.06.2015 16:07, Michael Catanzaro wrote:
>> On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
>>> Except that this is exactly what we DON'T want to do. DNSSEC is an
>>> extension of DNS and it can be used even without the need for the
>>> wh
On 30.06.2015 16:07, Michael Catanzaro wrote:
> On Tue, 2015-06-30 at 11:24 +0200, Tomas Hozza wrote:
>> The thing is that some information are unrelated to NM. There is no
>> reason to push all information back to NetworkManager, since its role
>> is
>> explicitly defined - manage network connect
On 30.06.2015 16:07, Michael Catanzaro wrote:
> On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
>> Except that this is exactly what we DON'T want to do. DNSSEC is an
>> extension of DNS and it can be used even without the need for the
>> whole
>> Internet to be signed. We want to use it ev
On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
> Except that this is exactly what we DON'T want to do. DNSSEC is an
> extension of DNS and it can be used even without the need for the
> whole
> Internet to be signed. We want to use it even if the network-provided
> DNS resolvers don't suppo
On Tue, 2015-06-30 at 11:24 +0200, Tomas Hozza wrote:
> The thing is that some information are unrelated to NM. There is no
> reason to push all information back to NetworkManager, since its role
> is
> explicitly defined - manage network connections and leave the DNS
> resolution and configuratio
On 30.06.2015 14:37, Bastien Nocera wrote:
>
>
> - Original Message -
>
>> No, it is not. It is opt-in now, we want it by default. Please read the
>> change. Thank you.
>
> I don't see any options about it in GNOME's Network panel. I'm not interested
> in integration as an after-thoug
On 30.06.2015 14:11, Bastien Nocera wrote:
>
>
> - Original Message -
>> On 30.06.2015 13:53, Bastien Nocera wrote:
>>>
>>>
>>> - Original Message -
On 30.06.2015 11:24, Tomas Hozza wrote:
>>>
> It means that the site of your bank you are on may not be provided the
>>>
- Original Message -
> No, it is not. It is opt-in now, we want it by default. Please read the
> change. Thank you.
I don't see any options about it in GNOME's Network panel. I'm not interested
in integration as an after-thought.
I think it best to stop this dead-end discussion until y
On 30.06.2015 13:53, Bastien Nocera wrote:
>
>
> - Original Message -
>> On 30.06.2015 11:24, Tomas Hozza wrote:
>
>>> It means that the site of your bank you are on may not be provided the
>>> actual host you should be connected to, but instead by some attacker's.
>>> The insecure mode
On 30.06.2015 13:58, Stef Walter wrote:
> On 30.06.2015 13:53, Bastien Nocera wrote:
>>
>>
>> - Original Message -
>>> On 30.06.2015 11:24, Tomas Hozza wrote:
>>
It means that the site of your bank you are on may not be provided the
actual host you should be connected to, but i
- Original Message -
> On 30.06.2015 13:53, Bastien Nocera wrote:
> >
> >
> > - Original Message -
> >> On 30.06.2015 11:24, Tomas Hozza wrote:
> >
> >>> It means that the site of your bank you are on may not be provided the
> >>> actual host you should be connected to, but ins
On 30.06.2015 13:46, Stef Walter wrote:
> On 30.06.2015 11:24, Tomas Hozza wrote:
>> On 26.06.2015 17:13, Matthias Clasen wrote:
>>> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>>>
>>> Hey, I was out for a week, so this may be a bit of a late reply.
>>>
>>> As Michael and Bastien alread
- Original Message -
> On 30.6.2015 13:53, Bastien Nocera wrote:
> >
> >
> > - Original Message -
> >> On 30.06.2015 11:24, Tomas Hozza wrote:
> >
> >>> It means that the site of your bank you are on may not be provided the
> >>> actual host you should be connected to, but inst
On 30.6.2015 13:53, Bastien Nocera wrote:
>
>
> - Original Message -
>> On 30.06.2015 11:24, Tomas Hozza wrote:
>
>>> It means that the site of your bank you are on may not be provided the
>>> actual host you should be connected to, but instead by some attacker's.
>>> The insecure mode m
On 30.06.2015 13:53, Bastien Nocera wrote:
>
>
> - Original Message -
>> On 30.06.2015 11:24, Tomas Hozza wrote:
>
>>> It means that the site of your bank you are on may not be provided the
>>> actual host you should be connected to, but instead by some attacker's.
>>> The insecure mode
- Original Message -
> On 30.06.2015 11:24, Tomas Hozza wrote:
> > It means that the site of your bank you are on may not be provided the
> > actual host you should be connected to, but instead by some attacker's.
> > The insecure mode means that you are vulnerable in the same way as the
On 30.06.2015 11:24, Tomas Hozza wrote:
> On 26.06.2015 17:13, Matthias Clasen wrote:
>> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>>
>> Hey, I was out for a week, so this may be a bit of a late reply.
>>
>> As Michael and Bastien already stated, all the GNOME networking UI
>> relies on
On 26.06.2015 17:13, Matthias Clasen wrote:
> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>
> Hey, I was out for a week, so this may be a bit of a late reply.
>
> As Michael and Bastien already stated, all the GNOME networking UI
> relies on information gotten from NetworkManager, and w
- Original Message -
> > GNOME shell also launches a browser when needed for captive portal
> > login. If we need to tweak the way the browser is launched to make it
> > work on a dnssec-enabled system, that should be possible.
>
> Unfortunately on my system it doesn't launch browser, b
On Jun 26, 2015 6:14 PM, "Matthias Clasen" wrote:
>
> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>
> Hey, I was out for a week, so this may be a bit of a late reply.
>
> As Michael and Bastien already stated, all the GNOME networking UI
> relies on information gotten from NetworkManager
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
Hey, I was out for a week, so this may be a bit of a late reply.
As Michael and Bastien already stated, all the GNOME networking UI
relies on information gotten from NetworkManager, and we'd like to keep
it that way. In particular, NetworkMana
- Original Message -
> Hello,
>
> > On Tuesday, 23 June 2015 10:13 PM, Tomas Hozza wrote:
> > Now we know that we have at least 3 components on the system, that are
> > trying to do the same thing - Captive Portal detection:
> > - dnssec-trigger
> > - NetworkManager
> > - GNOME Shell
> >
Hello,
> On Tuesday, 23 June 2015 10:13 PM, Tomas Hozza wrote:
> Now we know that we have at least 3 components on the system, that are
> trying to do the same thing - Captive Portal detection:
> - dnssec-trigger
> - NetworkManager
> - GNOME Shell
>
> We don't have a problem with turning the det
On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
> I hope that GNOME Shell somehow only displays the state provided by
> NM.
> Bastien, please correct me if I'm wrong and please elaborate on the
> details of what the functionality does (e.g. if you launch a new
> browser
> or so).
Yes, that
Hi all.
I would like to start a new fresh discussion where we can hopefully
converge towards successful integration of default DNS resolver with
NetworkManager on Fedora Workstation (GNOME).
I think there are (at least) two major issues that need to be resolved:
- system-wide Captive Portal detec
50 matches
Mail list logo
