Re: [lfs-dev] lfs-dev Digest, Vol 2681, Issue 1

Tue, 23 Aug 2016 13:46:23 -0700 

On 08/22/2016 12:00 PM, [email protected] wrote:
> Dear Tim, On 08/22/16 10:29, Tim Tassonis wrote:
>> > On August 22, 2016 10:08:42 Paul Menzel <[email protected]> wrote:
>> >
>>> >> Dear Bruce,
>>> >>
>>> >> On 08/22/16 05:47, Bruce Dubbs wrote:
>>>> >>> Rical Jasan wrote:
>>>>> >>>> Dudes and Dudettes,
>>>>> >>>>
>>>>> >>>> Why do you not have a certificate for your site?  Send me a CSR,
>>>>> >>>> and I will get one for you.
>>>> >>>
>>>> >>> It is not needed.  Everything is public.
>>> >>
>>> >> It’s not only about encryption. It’s about authentication. Right now,
>>> >> visitors have no way to determine if they are talking to the “real” LFS
>>> >> server or some other server claiming to be the LFS server.
>> >
>> > What  I truly wonder: was it really you that wrote this previous reply?
>> > I have no way to tell. Maybe we should start using S/MIME for email
>> > signing, whit everyone buying a SSS Client Certificate from a commercial
>> > vendor?
>> >
>> > We then also have to fully protect the server's private key, so nobody
>> > can steal it and run a fake LFS server with faulty recipes for glibc,
>> > gcc and binutils, and trick everyone by clever dns cache poisining
>> > attacks. We definitely have to implement secure DNSSEC first. As systemd's
>> > networkd provides that, we should soon all be ok.
>> > 
> I’d agree that using GPG or S/MIME for email would be a good practice, 
> and improve the overall situation.
> 
> But I think you reply is besides the point. While setting up secure 
> access over HTTPS is not perfect, it improves the current situation in 
> my opinion.
> 
> How much people trust this new way of accessing the Web site, is up to them.
> 
> Best regards,
> 
> Paul

From my initial draft, which didn't reach you because I forgot one had
to be subscribed to post:

    If it's a statement, because the whole SSL certificate business is
    little more than a racket, I understand.  If that's the case, let me
    know, and say no more.

My offer to provide a certificate is based on the same sentiment Paul
voiced, however.  While it may not provide perfect authentication, it
provides some level of it, and not less than currently exists.

Rical

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to