
Thanks Iavor et al.<div><br></div><div>I agree. I&#39;ll see what we can do. We have budget for this so hopefully it will be a simple matter of finding people to implement the change.</div><div><br></div><div>Jason<br><br>

<div class="gmail_quote">On Fri, Nov 2, 2012 at 10:34 AM, Iavor Diatchki <span dir="ltr">&lt;<a href="mailto:iavor.diatchki@gmail.com" target="_blank">iavor.diatchki@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hello,<div><br></div><div>I think that getting a certificate is a good idea.  I think this could probably be arranged by the <a href="http://haskell.org" target="_blank">haskell.org</a> committee, which even has a budget for things like that, I believe.  I&#39;m cc-ing Jason, who&#39;s on the committee and might have more input on what&#39;s the best way to proceed. </div>


<div><br></div><div>Thanks for bringing this up!</div><span class="HOEnZb"><font color="#888888"><div>-Iavor</div></font></span><div class="HOEnZb"><div class="h5">

<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar <span dir="ltr">&lt;<a href="mailto:Ramana.Kumar@cl.cam.ac.uk" target="_blank">Ramana.Kumar@cl.cam.ac.uk</a>&gt;</span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Who is the webmaster for <a href="http://haskell.org" target="_blank">haskell.org</a>? Presumably they will be required in the process of installing the certificate.<br>


<br>As far as obtaining goes, one can obtain a free certificate from StartSSL - see <a href="https://www.startssl.com" target="_blank">https://www.startssl.com</a><br>


There are other CAs, but if nobody has any strong preferences, I recommend going with them.<div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen <span dir="ltr">&lt;<a href="mailto:mail@nh2.me" target="_blank">mail@nh2.me</a>&gt;</span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So how do we go forward about getting the SSL certificate and installing it?<br>

<div><br>

On 29/10/12 01:06, Patrick Mylund Nielsen wrote:<br>

&gt; Sure. No matter what&#39;s done in Cabal, the clients for everything else<br>

&gt; will still be mainly browsers.<br>

&gt;<br>

&gt; On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen &lt;<a href="mailto:mail@nh2.me" target="_blank">mail@nh2.me</a><br>

</div><div>&gt; &lt;mailto:<a href="mailto:mail@nh2.me" target="_blank">mail@nh2.me</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;     No matter what we do with cabal, it would be great if I could soon point<br>

&gt;     my browser at <a href="https://haskell.org" target="_blank">https://haskell.org</a> *anyway*.<br>

&gt;<br>

&gt;     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:<br>

&gt;     &gt; Of course, as long as Cabal itself is distributed through this same<br>

&gt;     &gt; https-enabled site, you have the same PKI-backed security as just<br>

&gt;     about<br>

&gt;     &gt; any major website. This model has problems, yes, but it&#39;s good enough,<br>

&gt;     &gt; and it&#39;s easy to use. If you really want to improve it (without<br>

&gt;     &gt; impacting usability), have Google/the browser vendors pin the public<br>

</div>&gt;     &gt; cert for <a href="http://haskell.org" target="_blank">haskell.org</a> &lt;<a href="http://haskell.org" target="_blank">http://haskell.org</a>&gt; &lt;<a href="http://haskell.org" target="_blank">http://haskell.org</a>&gt;.<br>


<div>&gt;     &gt;<br>

&gt;     &gt; On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen<br>

&gt;     &gt; &lt;<a href="mailto:haskell@patrickmylund.com" target="_blank">haskell@patrickmylund.com</a> &lt;mailto:<a href="mailto:haskell@patrickmylund.com" target="_blank">haskell@patrickmylund.com</a>&gt;<br>

</div>&gt;     &lt;mailto:<a href="mailto:haskell@patrickmylund.com" target="_blank">haskell@patrickmylund.com</a><br>

<div>&gt;     &lt;mailto:<a href="mailto:haskell@patrickmylund.com" target="_blank">haskell@patrickmylund.com</a>&gt;&gt;&gt; wrote:<br>

&gt;     &gt;<br>

&gt;     &gt;     PGP tends to present many usability issues, and in this case it<br>

&gt;     &gt;     would make more sense/provide a clearer win if there were many<br>

&gt;     &gt;     different, semi-untrusted hackage mirrors. Just enable HTTPS and<br>

&gt;     &gt;     have Cabal validate the server certificate against a CA pool<br>

&gt;     of one.<br>

&gt;     &gt;     PKI/trusting obscure certificate authorities in Egypt and Syria is<br>

&gt;     &gt;     the biggest concern here, not somebody MITMing your initial Cabal<br>

&gt;     &gt;     installation (which in a lot of cases happens through apt-get or<br>

&gt;     &gt;     yum, anyway.)<br>

&gt;     &gt;<br>

&gt;     &gt;<br>

&gt;     &gt;     On Mon, Oct 29, 2012 at 12:34 AM, Changaco<br>

&gt;     &lt;<a href="mailto:changaco@changaco.net" target="_blank">changaco@changaco.net</a> &lt;mailto:<a href="mailto:changaco@changaco.net" target="_blank">changaco@changaco.net</a>&gt;<br>

</div>&gt;     &gt;     &lt;mailto:<a href="mailto:changaco@changaco.net" target="_blank">changaco@changaco.net</a> &lt;mailto:<a href="mailto:changaco@changaco.net" target="_blank">changaco@changaco.net</a>&gt;&gt;&gt;<br>


<div>&gt;     wrote:<br>

&gt;     &gt;<br>

&gt;     &gt;         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:<br>

&gt;     &gt;         &gt; How do you get a copy of cabal while making sure that<br>

&gt;     somebody<br>

&gt;     &gt;         hasn&#39;t MITMed you and replaced the PGP key?<br>

&gt;     &gt;<br>

&gt;     &gt;         Ultimately it is a DNS problem. To establish a secure<br>

&gt;     connection<br>

&gt;     &gt;         with<br>

</div>&gt;     &gt;         <a href="http://haskell.org" target="_blank">haskell.org</a> &lt;<a href="http://haskell.org" target="_blank">http://haskell.org</a>&gt; &lt;<a href="http://haskell.org" target="_blank">http://haskell.org</a>&gt;<br>


<div>&gt;     you&#39;d have to get the<br>

&gt;     &gt;         certificate from the DNS, but that<br>

&gt;     &gt;         technology is not ready yet, so all you can do is check<br>

&gt;     the key<br>

&gt;     &gt;         against<br>

&gt;     &gt;         as many sources as possible like Michael Walker said.<br>

&gt;     &gt;<br>

&gt;     &gt;         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:<br>

&gt;     &gt;         &gt; So why not use HTTPS?<br>

&gt;     &gt;<br>

&gt;     &gt;         Because it doesn&#39;t solve the problem.<br>

&gt;     &gt;<br>

&gt;     &gt;         _______________________________________________<br>

&gt;     &gt;         Haskell-Cafe mailing list<br>

&gt;     &gt;         <a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a> &lt;mailto:<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a>&gt;<br>

</div>&gt;     &lt;mailto:<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a> &lt;mailto:<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a>&gt;&gt;<br>


<div><div>&gt;     &gt;         <a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>

&gt;     &gt;<br>

&gt;     &gt;<br>

&gt;     &gt;<br>

&gt;     &gt;<br>

&gt;     &gt;<br>

&gt;     &gt; _______________________________________________<br>

&gt;     &gt; Haskell-Cafe mailing list<br>

&gt;     &gt; <a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a> &lt;mailto:<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a>&gt;<br>

&gt;     &gt; <a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>

&gt;     &gt;<br>

&gt;<br>

&gt;     _______________________________________________<br>

&gt;     Haskell-Cafe mailing list<br>

&gt;     <a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a> &lt;mailto:<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a>&gt;<br>

&gt;     <a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>

&gt;<br>

&gt;<br>

<br>

_______________________________________________<br>

Haskell-Cafe mailing list<br>

<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>

<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>

</div></div></blockquote></div><br></div>

</div></div><br>_______________________________________________<br>

Haskell-Cafe mailing list<br>

<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>

<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>

<br></blockquote></div><br></div>

</div></div></blockquote></div><br></div>