28 Oct
2012
28 Oct
'12
4:46 p.m.
2012/10/28 Changaco
It doesn't matter what kind of certificate the server uses since the client generally doesn't know about it, especially on first connection. Some programs remember the certificate between uses and inform you when it changes, but that's not perfect either.
In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed). Best regards, Petr Pudlak