From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: `guix pull` over HTTPS
Date: Fri, 10 Feb 2017 23:21:56 +0100
Message-ID: <87inoh660r.fsf@gnu.org>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52535)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ccJZs-0004Si-Jk
	for guix-devel@gnu.org; Fri, 10 Feb 2017 17:22:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ccJZp-0003Vt-AR
	for guix-devel@gnu.org; Fri, 10 Feb 2017 17:22:04 -0500
In-Reply-To: <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	(Marius Bakke's message of "Fri, 10 Feb 2017 17:22:01 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org

Marius Bakke <mbakke@fastmail.com> skribis:

> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>
>> Leo Famulari <leo@famulari.name> skribis:
>>

[...]

>> Initially, I didn=E2=80=99t want to have =E2=80=98nss-certs=E2=80=99 in =
=E2=80=98%base-packages=E2=80=99 or
>> anything like that, on the grounds that the whole X.509 CA story is
>> completely broken IMO.  I wonder if we should revisit that, on the
>> grounds that =E2=80=9Cit=E2=80=99s better than nothing.=E2=80=9D
>>
>> The next question is what to do with foreign distros, and whether we
>> should bundle =E2=80=98nss-certs=E2=80=99 in the binary tarball, which i=
s not exciting.
>>
>> Alternately we could have a package that provides only the Let=E2=80=99s=
 Encrypt
>> certificate chain, if that=E2=80=99s what Savannah uses.
>>
>> Thoughts?
>
> If the private key used on https://git.savannah.gnu.org/ is static, one
> option would be to "pin" the corresponding public key. However, some LE
> clients also rotate the private key when renewing, so we'd need to ask
> SV admins. And also receive notices in advance if the key ever changes.
>
> Pinning the intermediate CAs might work, but what to do when the
> certificate is signed by a new intermediate (which may happen[0])? How
> to deliver updates to users with old certs?
>
> See: https://www.owasp.org/index.php/Pinning_Cheat_Sheet and
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
>
> ..for quick and long introductions, respectively.
>
> [0] https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose=
-to-implement/4625?source_topic_id=3D2450

All good points.  Well, I guess there=E2=80=99s not much we can do?

Ludo=E2=80=99.