svn https access
Matthew Seaman
m.seaman at infracaninophile.co.uk
Thu May 8 06:23:27 UTC 2014
On 07/05/2014 21:46, pete wright wrote:
> loading that site in firefox gives a warning indicating that the CA is
> not registered as well. is this done on purpose? kind of hesitant to
> enable pkg fingerprints on my nodes if i could be using a potentially
> forged fingerprint.
In principle, now that freebsd.org is DNSSEC enabled, any SSL key can be
securely identified as belonging to the FreeBSD project by including a
key digest in the DNS. See RFC 6698.
However I can't seem to find any TLSA records associated with
'svn.freebsd.org' or 'svn0.us-east.freebsd.org' [*] or
'svnmir.nyi.freebsd.org'.
This method has the advantage that you don't need to spend money buying
certs from CAs. However, support in browsers and other software is
going to be patchy at best, so manual verification will be necessary.
Cheers,
Matthew
[*] A CNAME, so there couldn't be a TLSA record anyhow.
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew at infracaninophile.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140508/201054e4/attachment-0001.sig>
More information about the freebsd-questions
mailing list