On Fri, 2014-03-14 at 09:59 +0100, Raphael Geissert wrote: > We are closely watching the transition from SPI certificates to the > ones provided by Gandi. Which btw is another really bad idea... Debian should have it's own CA (if X.509 is used in places to secure it's services)... and that CA should also be used to secure it's services (well at least those where there is no better non-X.509 alternative).
Right now, one has at least the chance to say that one checks e.g. https://debian.org/ for the issuing CA... or e.g. simply only trust the SPI cert... and then one can be sure to really get what one wants. But Gandi is just another commercial CA... actually, AFAIR, it's even just another intermediate CA from Comodo (which are also known to basically make everyone paying a intermediate) CA... so in the future, everyone in the ladder up from Gandy to the root certs of Comodo will be able to forge just any Debian certs as he likes. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
