From: ng0 <contact.ng0@cryptolab.net>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Fri, 10 Feb 2017 22:52:49 +0000 [thread overview]
Message-ID: <20170210225249.ez2hrt4njfbntun6@wasp> (raw)
In-Reply-To: <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
On 17-02-10 23:43:45, Marius Bakke wrote:
> Ludovic Courtès <ludo@gnu.org> writes:
>
> > Marius Bakke <mbakke@fastmail.com> skribis:
> >
> >> Ludovic Courtès <ludo@gnu.org> writes:
> >>
> >>> Leo Famulari <leo@famulari.name> skribis:
> >>>
> >
> > [...]
> >
> >>> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or
> >>> anything like that, on the grounds that the whole X.509 CA story is
> >>> completely broken IMO. I wonder if we should revisit that, on the
> >>> grounds that “it’s better than nothing.”
> >>>
> >>> The next question is what to do with foreign distros, and whether we
> >>> should bundle ‘nss-certs’ in the binary tarball, which is not exciting.
> >>>
> >>> Alternately we could have a package that provides only the Let’s Encrypt
> >>> certificate chain, if that’s what Savannah uses.
> >>>
> >>> Thoughts?
> >>
> >> If the private key used on https://git.savannah.gnu.org/ is static, one
> >> option would be to "pin" the corresponding public key. However, some LE
> >> clients also rotate the private key when renewing, so we'd need to ask
> >> SV admins. And also receive notices in advance if the key ever changes.
> >>
> >> Pinning the intermediate CAs might work, but what to do when the
> >> certificate is signed by a new intermediate (which may happen[0])? How
> >> to deliver updates to users with old certs?
> >>
> >> See: https://www.owasp.org/index.php/Pinning_Cheat_Sheet and
> >> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
> >>
> >> ..for quick and long introductions, respectively.
> >>
> >> [0] https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625?source_topic_id=2450
> >
> > All good points. Well, I guess there’s not much we can do?
>
> I think pinning the public key could work, if the Savannah
> administrators are aware of it. But we'd need a reliable fallback
> mechanism in case the private key needs to be updated.
>
> I think having a separate 'le-certs' package that can verify the Lets
> Encrypt chain sounds like the easiest option. Presumably new
> intermediates etc will be known well in advance.
I am relatively sure that LE would let its now very large user base know
in advance when a change like a new intermediate CA is being introduced,
but if we are really in doubt we could ask LE themselves.
--
ng0 -- https://www.inventati.org/patternsinthechaos/
next prev parent reply other threads:[~2017-02-10 22:51 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10 0:30 ` Leo Famulari
2017-02-10 15:33 ` Ludovic Courtès
2017-02-10 16:22 ` Marius Bakke
2017-02-10 22:21 ` Ludovic Courtès
2017-02-10 22:43 ` Marius Bakke
2017-02-10 22:52 ` ng0 [this message]
2017-02-11 14:28 ` Ludovic Courtès
2017-02-11 19:25 ` Leo Famulari
2017-02-11 19:48 ` Ricardo Wurmus
2017-02-12 13:36 ` Ludovic Courtès
2017-02-28 5:46 ` Leo Famulari
2017-02-28 14:59 ` Marius Bakke
2017-02-28 16:29 ` Leo Famulari
2017-02-28 16:45 ` Marius Bakke
2017-02-28 20:44 ` Marius Bakke
2017-02-28 21:44 ` Marius Bakke
2017-02-28 21:54 ` Marius Bakke
2017-03-01 2:36 ` Marius Bakke
2017-03-01 5:14 ` Leo Famulari
2017-03-01 21:20 ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07 ` Leo Famulari
2017-03-01 21:21 ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04 ` Ludovic Courtès
2017-03-06 10:06 ` Ludovic Courtès
2017-03-06 12:27 ` Marius Bakke
2017-02-28 23:05 ` Marius Bakke
2017-03-01 0:19 ` Leo Famulari
2017-02-28 16:39 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01 1:01 ` Leo Famulari
2017-02-10 18:55 ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170210225249.ez2hrt4njfbntun6@wasp \
--to=contact.ng0@cryptolab.net \
--cc=guix-devel@gnu.org \
--cc=mbakke@fastmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).