Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Soliciting Applications and Nominations for the SPI Board

9 views
Skip to first unread message

Matt Zimmerman

unread,
Nov 18, 2002, 4:00:19 PM11/18/02
to
On Mon, Nov 18, 2002 at 12:09:08PM -0700, Bdale Garbee wrote:

> The tasks include but are not limited to:
> [...]

Another good task might be to arrange for a verifiable certificate for the
https services at spi-inc.org? Currently, it seems to have an expired
certificate for a different hostname issued by an unrecognized CA (Wichert).

--
- mdz


--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Steve Langasek

unread,
Nov 19, 2002, 10:20:06 AM11/19/02
to
On Mon, Nov 18, 2002 at 03:33:53PM -0500, Matt Zimmerman wrote:
> On Mon, Nov 18, 2002 at 12:09:08PM -0700, Bdale Garbee wrote:

> > The tasks include but are not limited to:
> > [...]

> Another good task might be to arrange for a verifiable certificate for the
> https services at spi-inc.org? Currently, it seems to have an expired
> certificate for a different hostname issued by an unrecognized CA (Wichert).

By 'verifiable', do you mean using one of the universally-recognized web
CAs, or would it be an option to create an SPI (or Debian) CA whose CA
cert is shipped with Debian and usable by default?

--
Steve Langasek
postmodern programmer

Matt Zimmerman

unread,
Nov 19, 2002, 10:50:14 AM11/19/02
to

By 'verifiable', I mean a certificate which can be verified, by whatever
means, to belong to SPI, modulo a reasonable doubt. Given the policies and
(lack of) secure certificate distribution by the commercial CAs, I've no
doubt we could do better, but I have some doubt that we have justification.

But this was more a snide remark than anything; it's not as if the SPI
website is processing financial transactions, but it does use SSL
for some forms.

Steve Langasek

unread,
Nov 19, 2002, 11:50:11 AM11/19/02
to
On Tue, Nov 19, 2002 at 10:22:10AM -0500, Matt Zimmerman wrote:

>>> Another good task might be to arrange for a verifiable certificate for the
>>> https services at spi-inc.org? Currently, it seems to have an expired
>>> certificate for a different hostname issued by an unrecognized CA (Wichert).

>> By 'verifiable', do you mean using one of the universally-recognized web
>> CAs, or would it be an option to create an SPI (or Debian) CA whose CA
>> cert is shipped with Debian and usable by default?

> By 'verifiable', I mean a certificate which can be verified, by whatever
> means, to belong to SPI, modulo a reasonable doubt. Given the policies and
> (lack of) secure certificate distribution by the commercial CAs, I've no
> doubt we could do better, but I have some doubt that we have justification.

Yes, even though it would be less automatic for those using non-Debian
web clients, I think most of us have a stronger trust relationship with
any arbitrary key in the Debian strongly-connected set than with
VeriSign. ;)

> But this was more a snide remark than anything; it's not as if the SPI
> website is processing financial transactions, but it does use SSL
> for some forms.

All the more reason not to deplete our accounts for something we could do
just as well ourselves!

0 new messages