[lfs-dev] lfs-dev Digest, Vol 2681, Issue 1

Rical Jasan ricaljasan at pacific.net
Tue Aug 23 13:45:49 PDT 2016

On 08/22/2016 12:00 PM, lfs-dev-request at lists.linuxfromscratch.org wrote:
> Dear Tim, On 08/22/16 10:29, Tim Tassonis wrote:
>> > On August 22, 2016 10:08:42 Paul Menzel <pmenzel at molgen.mpg.de> wrote:
>> >
>>> >> Dear Bruce,
>>> >>
>>> >> On 08/22/16 05:47, Bruce Dubbs wrote:
>>>> >>> Rical Jasan wrote:
>>>>> >>>> Dudes and Dudettes,
>>>>> >>>>
>>>>> >>>> Why do you not have a certificate for your site?  Send me a CSR,
>>>>> >>>> and I will get one for you.
>>>> >>>
>>>> >>> It is not needed.  Everything is public.
>>> >>
>>> >> It’s not only about encryption. It’s about authentication. Right now,
>>> >> visitors have no way to determine if they are talking to the “real” LFS
>>> >> server or some other server claiming to be the LFS server.
>> >
>> > What  I truly wonder: was it really you that wrote this previous reply?
>> > I have no way to tell. Maybe we should start using S/MIME for email
>> > signing, whit everyone buying a SSS Client Certificate from a commercial
>> > vendor?
>> >
>> > We then also have to fully protect the server's private key, so nobody
>> > can steal it and run a fake LFS server with faulty recipes for glibc,
>> > gcc and binutils, and trick everyone by clever dns cache poisining
>> > attacks. We definitely have to implement secure DNSSEC first. As systemd's
>> > networkd provides that, we should soon all be ok.
>> > 
> I’d agree that using GPG or S/MIME for email would be a good practice, 
> and improve the overall situation.
> But I think you reply is besides the point. While setting up secure 
> access over HTTPS is not perfect, it improves the current situation in 
> my opinion.
> How much people trust this new way of accessing the Web site, is up to them.
> Best regards,
> Paul

From my initial draft, which didn't reach you because I forgot one had
to be subscribed to post:

    If it's a statement, because the whole SSL certificate business is
    little more than a racket, I understand.  If that's the case, let me
    know, and say no more.

My offer to provide a certificate is based on the same sentiment Paul
voiced, however.  While it may not provide perfect authentication, it
provides some level of it, and not less than currently exists.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-dev/attachments/20160823/e84b6597/attachment.sig>

More information about the lfs-dev mailing list