> The tasks include but are not limited to:
> [...]
Another good task might be to arrange for a verifiable certificate for the
https services at spi-inc.org? Currently, it seems to have an expired
certificate for a different hostname issued by an unrecognized CA (Wichert).
--
- mdz
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
> > The tasks include but are not limited to:
> > [...]
> Another good task might be to arrange for a verifiable certificate for the
> https services at spi-inc.org? Currently, it seems to have an expired
> certificate for a different hostname issued by an unrecognized CA (Wichert).
By 'verifiable', do you mean using one of the universally-recognized web
CAs, or would it be an option to create an SPI (or Debian) CA whose CA
cert is shipped with Debian and usable by default?
--
Steve Langasek
postmodern programmer
By 'verifiable', I mean a certificate which can be verified, by whatever
means, to belong to SPI, modulo a reasonable doubt. Given the policies and
(lack of) secure certificate distribution by the commercial CAs, I've no
doubt we could do better, but I have some doubt that we have justification.
But this was more a snide remark than anything; it's not as if the SPI
website is processing financial transactions, but it does use SSL
for some forms.
>>> Another good task might be to arrange for a verifiable certificate for the
>>> https services at spi-inc.org? Currently, it seems to have an expired
>>> certificate for a different hostname issued by an unrecognized CA (Wichert).
>> By 'verifiable', do you mean using one of the universally-recognized web
>> CAs, or would it be an option to create an SPI (or Debian) CA whose CA
>> cert is shipped with Debian and usable by default?
> By 'verifiable', I mean a certificate which can be verified, by whatever
> means, to belong to SPI, modulo a reasonable doubt. Given the policies and
> (lack of) secure certificate distribution by the commercial CAs, I've no
> doubt we could do better, but I have some doubt that we have justification.
Yes, even though it would be less automatic for those using non-Debian
web clients, I think most of us have a stronger trust relationship with
any arbitrary key in the Debian strongly-connected set than with
VeriSign. ;)
> But this was more a snide remark than anything; it's not as if the SPI
> website is processing financial transactions, but it does use SSL
> for some forms.
All the more reason not to deplete our accounts for something we could do
just as well ourselves!