| 1 |
"Robin H. Johnson" <robbat2@g.o> posted |
| 2 |
20070928001048.GD1606@××××××××××××××××××××××××.net, excerpted below, on |
| 3 |
Thu, 27 Sep 2007 17:10:48 -0700: |
| 4 |
|
| 5 |
> If there aren't too many AND we can get a dedicated IP for each of those |
| 6 |
> services, I'd like to suggest the following, as an easily doable and |
| 7 |
> low-overhead (in terms of Trustees/paperwork) solution: |
| 8 |
> |
| 9 |
> 1. On the services identified, get extra IPs, and use the free GoDaddy |
| 10 |
> certs. |
| 11 |
> 2. On other services use the Gentoo-CA approach. |
| 12 |
|
| 13 |
There's probably a reason this won't work, since I've yet to see it |
| 14 |
brought up here and it's not mentioned on the bug either, but hey, I |
| 15 |
don't know said reason, and it's worth the shot... |
| 16 |
|
| 17 |
Would it be possible to setup a gentoo-certs package, versioned like any |
| 18 |
other, with USE flags if necessary for installing where various browsers, |
| 19 |
etc can see them? |
| 20 |
|
| 21 |
The idea being, any time a certificate changes you create a new version |
| 22 |
of gentoo-certs. "Security-clueless" users can simply be told about this |
| 23 |
package, and should reasonably quickly get the idea of checking for an |
| 24 |
upgrade any time they get a security warning. Certs in this package |
| 25 |
would then be accepted by default, while allowing users the option of |
| 26 |
installing the package or not, plus the possible USE flags, as well as |
| 27 |
configuring their browser manually to reject the certs, if desired. |
| 28 |
|
| 29 |
That would be easier in some ways and harder in others, than setting up a |
| 30 |
full Gentoo-CA. However, Gentoo devs deal with packages every day, while |
| 31 |
I doubt many deal with CA signing every day (umm... from the bug it looks |
| 32 |
like a couple devs do... enough anyway if not every day), so it might be |
| 33 |
more routine and thus easier for Gentoo to go the package route, even if |
| 34 |
it's harder in the absolute. |
| 35 |
|
| 36 |
I'd think "you need to merge or update this package" would suffice for |
| 37 |
the "security-clueless", while the "security-clueful" already know the |
| 38 |
deal, so no big deal for them, tho it'd lessen the hassle factor for them |
| 39 |
as well. |
| 40 |
|
| 41 |
-- |
| 42 |
Duncan - List replies preferred. No HTML msgs. |
| 43 |
"Every nonfree program has a lord, a master -- |
| 44 |
and if you use the program, he is your master." Richard Stallman |
| 45 |
|
| 46 |
-- |
| 47 |
gentoo-dev@g.o mailing list |
Archives