unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Marius Bakke <mbakke@fastmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Fri, 10 Feb 2017 23:43:45 +0100	[thread overview]
Message-ID: <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <87inoh660r.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 2069 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Leo Famulari <leo@famulari.name> skribis:
>>>
>
> [...]
>
>>> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or
>>> anything like that, on the grounds that the whole X.509 CA story is
>>> completely broken IMO.  I wonder if we should revisit that, on the
>>> grounds that “it’s better than nothing.”
>>>
>>> The next question is what to do with foreign distros, and whether we
>>> should bundle ‘nss-certs’ in the binary tarball, which is not exciting.
>>>
>>> Alternately we could have a package that provides only the Let’s Encrypt
>>> certificate chain, if that’s what Savannah uses.
>>>
>>> Thoughts?
>>
>> If the private key used on https://git.savannah.gnu.org/ is static, one
>> option would be to "pin" the corresponding public key. However, some LE
>> clients also rotate the private key when renewing, so we'd need to ask
>> SV admins. And also receive notices in advance if the key ever changes.
>>
>> Pinning the intermediate CAs might work, but what to do when the
>> certificate is signed by a new intermediate (which may happen[0])? How
>> to deliver updates to users with old certs?
>>
>> See: https://www.owasp.org/index.php/Pinning_Cheat_Sheet and
>> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
>>
>> ..for quick and long introductions, respectively.
>>
>> [0] https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625?source_topic_id=2450
>
> All good points.  Well, I guess there’s not much we can do?

I think pinning the public key could work, if the Savannah
administrators are aware of it. But we'd need a reliable fallback
mechanism in case the private key needs to be updated.

I think having a separate 'le-certs' package that can verify the Lets
Encrypt chain sounds like the easiest option. Presumably new
intermediates etc will be known well in advance.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

  reply	other threads:[~2017-02-10 22:43 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10  0:30 ` Leo Famulari
2017-02-10 15:33   ` Ludovic Courtès
2017-02-10 16:22     ` Marius Bakke
2017-02-10 22:21       ` Ludovic Courtès
2017-02-10 22:43         ` Marius Bakke [this message]
2017-02-10 22:52           ` ng0
2017-02-11 14:28           ` Ludovic Courtès
2017-02-11 19:25             ` Leo Famulari
2017-02-11 19:48               ` Ricardo Wurmus
2017-02-12 13:36                 ` Ludovic Courtès
2017-02-28  5:46             ` Leo Famulari
2017-02-28 14:59               ` Marius Bakke
2017-02-28 16:29                 ` Leo Famulari
2017-02-28 16:45                   ` Marius Bakke
2017-02-28 20:44                     ` Marius Bakke
2017-02-28 21:44                       ` Marius Bakke
2017-02-28 21:54                         ` Marius Bakke
2017-03-01  2:36                           ` Marius Bakke
2017-03-01  5:14                             ` Leo Famulari
2017-03-01 21:20                               ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07                                 ` Leo Famulari
2017-03-01 21:21                               ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04                               ` Ludovic Courtès
2017-03-06 10:06                         ` Ludovic Courtès
2017-03-06 12:27                           ` Marius Bakke
2017-02-28 23:05                   ` Marius Bakke
2017-03-01  0:19                     ` Leo Famulari
2017-02-28 16:39                 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01  1:01                   ` Leo Famulari
2017-02-10 18:55   ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me \
    --to=mbakke@fastmail.com \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).