svn https access
m.seaman at infracaninophile.co.uk
Thu May 8 06:23:27 UTC 2014
On 07/05/2014 21:46, pete wright wrote:
> loading that site in firefox gives a warning indicating that the CA is
> not registered as well. is this done on purpose? kind of hesitant to
> enable pkg fingerprints on my nodes if i could be using a potentially
> forged fingerprint.
In principle, now that freebsd.org is DNSSEC enabled, any SSL key can be
securely identified as belonging to the FreeBSD project by including a
key digest in the DNS. See RFC 6698.
However I can't seem to find any TLSA records associated with
'svn.freebsd.org' or 'svn0.us-east.freebsd.org' [*] or
This method has the advantage that you don't need to spend money buying
certs from CAs. However, support in browsers and other software is
going to be patchy at best, so manual verification will be necessary.
[*] A CNAME, so there couldn't be a TLSA record anyhow.
Dr Matthew J Seaman MA, D.Phil.
JID: matthew at infracaninophile.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1036 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions