Subject: Re: No port 443 (https) available at
"security.debian.org"-repository



CAA record is meant to be consumed by CA, not by end-users, thus it
doesn't provide much protection.

O.
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Wed, Jul 26, 2017, at 01:01, James Bromberger wrote:
>
>
> On 26/07/2017 6:20 AM, Adam Borowski wrote:
> > https provides no protection against targetted attacks by government
> > agents.
> > The CA cartel model consists of 400+ CAs, many of them outright controlled
> > by governments, most of the rest doing what they're told (no, warrants are
> > are a story for nice kids). Clients in general trust _any_ CA, which means
> > you're only as secure as the worst CA. Ie, https protects you against Joe
> > Script Kiddie but not against a capable opponent.
> >
>
> Except there are new-ish ways to limit the scope from 400+ CAs to just
> the one you use.
> c.f.
> /Certification Authority Authorization/ (/CAA/) /DNS/ Resource
> https://tools.ietf.org/html/rfc6844
>
> ... if APT wishes to support this.
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)

...



Programming list archiving by: Enterprise Git Hosting