Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
wrote: HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ? -- Per Jessen, Zürich (20.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org