[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    www.kde.org
From:       George Staikos <staikos () kde ! org>
Date:       2000-12-16 5:40:17
[Download RAW message or body]


   Is it possible to get a certificate and mod_ssl running on www.kde.org?  I 
ask this because it would be nice to use it for konqueror SSL updates.  We 
could keep the CA file on there with an md5sum so people could verify that 
they have a non-tampered-with copy.  Also whenever there is a rollover, we 
can keep an update posted there so users can update their ca-root bundle 
without having to update all of kdelibs.

   I'm sure it could prove useful for other sensitive materials as well.  I 
just find it a bit sketchy distributing a big bundle that most people will 
never read.  Anyone could cause problems by sneaking another entry into the 
file with a /O="RSA Data Security Inc."  (note the missing comma).  Then they 
could register www.amazom.com and sign their own certificate with this root 
file.  The users visit the site and have no idea that they're not on a 
legitimate site.  This includes a locked icon at the top and no warning that 
the certificate is invalid.  The only way to prevent this is to have a 
cryptographically signed file, and since not everyone has PGP, SSL is 
probably our next best bet.  It's easy for one of us to keep an eye on the 
file that is on the site to make sure it's ok.

  Is there a simpler way to do this?  Is it not worthwhile?

-- 

George Staikos 

[prev in list] [next in list] [prev in thread] [next in thread]