On August 22, 2016 10:08:42 Paul Menzel <[email protected]> wrote:
Dear Bruce,
On 08/22/16 05:47, Bruce Dubbs wrote:
Rical Jasan wrote:
Dudes and Dudettes,
Why do you not have a certificate for your site? Send me a CSR,
and I will get one for you.
It is not needed. Everything is public.
It’s not only about encryption. It’s about authentication. Right now,
visitors have no way to determine if they are talking to the “real” LFS
server or some other server claiming to be the LFS server.
What I truly wonder: was it really you that wrotw this previous reply? I
have no way to tell. Maybe we shuold start using S/MIME for email signing,
whit everyone buying a SSS Client Certificate from a commercial vendor?
We then also have to fully protect the server's private key, so nobody can
steal it and run a fake LFS server with daulty recipees for glibc, gcc and
binutils,,and trick everyone by clever dns cache poisinig attacks. We
definitel have to implement secur DNSSEC first. As systemd's networkd
provides that, we should soon all be ok.
So I would welcome it too, if the Web site would be securely accessible
over HTTPS.
Best regards,
Paul
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
