Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Soliciting Applications and Nominations for the SPI Board

12 views
Skip to first unread message

Matt Zimmerman

unread,
Nov 18, 2002, 4:00:19 PM11/18/02
to
On Mon, Nov 18, 2002 at 12:09:08PM -0700, Bdale Garbee wrote:

> The tasks include but are not limited to:
> [...]

Another good task might be to arrange for a verifiable certificate for the
https services at spi-inc.org? Currently, it seems to have an expired
certificate for a different hostname issued by an unrecognized CA (Wichert).

--
- mdz


--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Steve Langasek

unread,
Nov 19, 2002, 10:20:06 AM11/19/02
to
On Mon, Nov 18, 2002 at 03:33:53PM -0500, Matt Zimmerman wrote:
> On Mon, Nov 18, 2002 at 12:09:08PM -0700, Bdale Garbee wrote:

> > The tasks include but are not limited to:
> > [...]

> Another good task might be to arrange for a verifiable certificate for the
> https services at spi-inc.org? Currently, it seems to have an expired
> certificate for a different hostname issued by an unrecognized CA (Wichert).

By 'verifiable', do you mean using one of the universally-recognized web
CAs, or would it be an option to create an SPI (or Debian) CA whose CA
cert is shipped with Debian and usable by default?

--
Steve Langasek
postmodern programmer

Matt Zimmerman

unread,
Nov 19, 2002, 10:50:14 AM11/19/02
to

By 'verifiable', I mean a certificate which can be verified, by whatever
means, to belong to SPI, modulo a reasonable doubt. Given the policies and
(lack of) secure certificate distribution by the commercial CAs, I've no
doubt we could do better, but I have some doubt that we have justification.

But this was more a snide remark than anything; it's not as if the SPI
website is processing financial transactions, but it does use SSL
for some forms.

Steve Langasek

unread,
Nov 19, 2002, 11:50:11 AM11/19/02
to
On Tue, Nov 19, 2002 at 10:22:10AM -0500, Matt Zimmerman wrote:

>>> Another good task might be to arrange for a verifiable certificate for the
>>> https services at spi-inc.org? Currently, it seems to have an expired
>>> certificate for a different hostname issued by an unrecognized CA (Wichert).

>> By 'verifiable', do you mean using one of the universally-recognized web
>> CAs, or would it be an option to create an SPI (or Debian) CA whose CA
>> cert is shipped with Debian and usable by default?

> By 'verifiable', I mean a certificate which can be verified, by whatever
> means, to belong to SPI, modulo a reasonable doubt. Given the policies and
> (lack of) secure certificate distribution by the commercial CAs, I've no
> doubt we could do better, but I have some doubt that we have justification.

Yes, even though it would be less automatic for those using non-Debian
web clients, I think most of us have a stronger trust relationship with
any arbitrary key in the Debian strongly-connected set than with
VeriSign. ;)

> But this was more a snide remark than anything; it's not as if the SPI
> website is processing financial transactions, but it does use SSL
> for some forms.

All the more reason not to deplete our accounts for something we could do
just as well ourselves!

0 new messages