On Thu, Feb 7, 2013 at 4:47 PM, Kristian Fiskerstrand <
kristian.fiskerstrand_at_sumptuouscapital.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/07/2013 10:40 PM, Daniel Stenberg wrote:
> > On Thu, 7 Feb 2013, Kristian Fiskerstrand wrote:
> >
> >>> Anyway, I was wondering if it might be possible to update the
> >>> website to serve these over a secure connection?
> >>
> >> Alternatively (or in addition) could it make sense to digitally
> >> sign the files using the OpenPGP standard (GnuPG) ?
> >
> > That's an interesting idea, but this output is generated
> > automatically in a cronjob and it would be a bit annoying for me to
> > have to sign it everytime it happens to change. And having a
> > mis-matching signature lingering would be terrible!
> >
>
> Presuming that the cronjob happens on a separate system than the
> actual webserver even an lower-security signing key could make sense,
> then the signing process could be performed automatically as well
> (--batch mode). It wouldn't help (as much) for a system compromise
> (nothing would), but it would be of great help for a poisoned DNS
> record or other MITM attack vector.

Anyone really keen to roll their own bundle could pick up CA certs from
Thawte, in the "Top Issues" tab here:

     https://search.thawte.com/support/ssl-digital-certificates/index.html

and Verisign:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

I imagine the other Certificate Authorities have similar downloads.

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-02-07