debian-project
[Arriba] [Todas las Listas]

Re: Ningún puerto 443 (https) disponible en "seguridad.debian.org"-repo

To: Adam Borowski <kilobyte@xxxxxxxxxx>, "Zei Ha gmx.net" <zeiha@xxxxxxx>
Subject: Re: Ningún puerto 443 (https) disponible en "seguridad.debian.org"-repository
From: James Bromberger <james@xxxxxxx>
Date: Wed, 26 Jul 2017 07:01:36 +0800
Cc: debian-project@xxxxxxxxxxxxxxxx
Delivered-to: lists-debian-project@xxxxxxxxxxxxxxxxx
Delivery-date: Tue, 25 Jul 2017 19:26:37 -0400
Envelope-to: listas@xxxxxxxxxxx
In-reply-to: <20170725222035.u5ejc6npqaek23m7@angband.pl>
List-archive: https://lists.debian.org/msgid-search/1d25a0dc-dccb-7d9e-814a-9d1371c272ab@rcpt.to
List-help: <mailto:debian-project-request@lists.debian.org?subject=help>
List-id: <debian-project.lists.debian.org>
List-post: <mailto:debian-project@lists.debian.org>
List-subscribe: <mailto:debian-project-request@lists.debian.org?subject=subscribe>
List-unsubscribe: <mailto:debian-project-request@lists.debian.org?subject=unsubscribe>
List-url: <https://lists.debian.org/debian-project/>
Old-return-path: <james@xxxxxxx>
References: <0MQNFY-1dApuO025k-00Tk2M@mail.gmx.com> <1501016201.1252969.1052467376.17722981@webmail.messagingengine.com> <20170725222035.u5ejc6npqaek23m7@angband.pl>
Resent-date: Tue, 25 Jul 2017 23:26:30 +0000 (UTC)
Resent-from: debian-project@xxxxxxxxxxxxxxxx
Resent-message-id: <48lDVM_YKYL.A.2hG.mO9dZB@bendel>
Resent-sender: debian-project-request@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1

En 26/07/2017 6:20 AM, Adam *Borowski escribió:
> *https proporciona ninguna protección contra *targetted ataques por agentes de gobierno. 
> El modelo de cártel del CA consiste de 400+ *CAs, muchos de ellos francamente controlado
> por gobiernos, la mayoría de el resto que hace lo que son dichos (ningún, *warrants es
> es una historia para niños guapos).  Clientes en confianza general _cualquier_ CA, el cual significa
> eres sólo tan seguro cuando el CA peor.  *Ie, *https te protege contra Guión
> de Joe *Kiddie pero no contra un adversario capaz.
>

Excepto hay nuevo-*ish maneras de limitar el alcance de 400+ *CAs a justo
el utilizas.
*c.*f.
/Autoridad de certificación *Authorization/ (/CAA/) /Recurso/ de DNS
*https://herramientas.*ietf.*org/*html/*rfc6844

... Si deseos APTOS para apoyar esto.

On 26/07/2017 6:20 AM, Adam Borowski wrote:
> https provides no protection against targetted attacks by government agents. 
> The CA cartel model consists of 400+ CAs, many of them outright controlled
> by governments, most of the rest doing what they're told (no, warrants are
> are a story for nice kids).  Clients in general trust _any_ CA, which means
> you're only as secure as the worst CA.  Ie, https protects you against Joe
> Script Kiddie but not against a capable opponent.
>

Except there are new-ish ways to limit the scope from 400+ CAs to just
the one you use.
c.f.
/Certification Authority Authorization/ (/CAA/) /DNS/ Resource
https://tools.ietf.org/html/rfc6844

... if APT wishes to support this.

<<attachment: signature.asc>>

<Anterior por Tema] Tema Actual [Siguiente por Tema>