From owner-freebsd-questions@FreeBSD.ORG Wed Jan 7 08:37:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 436C8106564A for ; Wed, 7 Jan 2009 08:37:50 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id BAEE48FC17 for ; Wed, 7 Jan 2009 08:37:49 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n078bbs6035594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 7 Jan 2009 08:37:44 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk n078bbs6035594 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1231317464; bh=nrmf0MzGl6ask2 P5KZgV1SewcoKxiYoEj/WRbYgP+AA=; h=Message-ID:Date:From:MIME-Version: To:Subject:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<496469D1.4 060600@infracaninophile.co.uk>|Date:=20Wed,=2007=20Jan=202009=2008: 37:37=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-Agent:=20Thunderbird= 202.0.0.19=20(X11/20090103)|MIME-Version:=201.0|To:=20freebsd-quest ions@freebsd.org|Subject:=20Re:=20Foiling=20MITM=20attacks=20on=20s ource=20and=20ports=20trees|References:=20<20090102164412.GA1258@ph enom.cordula.ws>=09<20090106102124.O34151@wojtek.tensor.gdynia.pl>= 09<20090106193126.GA82164@kokopelli.hydra>=09<200901061111.52155.fb sd.questions@rachie.is-a-geek.net>=20<20090107072227.GA84869@kokope lli.hydra>|In-Reply-To:=20<20090107072227.GA84869@kokopelli.hydra>| X-Enigmail-Version:=200.95.6|Content-Type:=20text/plain=3B=20charse t=3DUTF-8=3B=20format=3Dflowed|Content-Transfer-Encoding:=207bit; b=p6EiPFeAh4nFq5hIBQY+xj4RMdYCC/mjID8Hd+lrhXK1bfXQ9mbE/VUUDCkmsK+Gc KgZNauLQW/wnOoUmI5e+R/29L3PVwJPSy/qtUGxrxpTE27KzBXMWw6YBD0ArcFPfYlM z1E4awMhIbx5MIHNBtcsjZRdoHdo99a++queIJ4= Message-ID: <496469D1.4060600@infracaninophile.co.uk> Date: Wed, 07 Jan 2009 08:37:37 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.19 (X11/20090103) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20090102164412.GA1258@phenom.cordula.ws> <20090106102124.O34151@wojtek.tensor.gdynia.pl> <20090106193126.GA82164@kokopelli.hydra> <200901061111.52155.fbsd.questions@rachie.is-a-geek.net> <20090107072227.GA84869@kokopelli.hydra> In-Reply-To: <20090107072227.GA84869@kokopelli.hydra> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [81.187.76.162]); Wed, 07 Jan 2009 08:37:44 +0000 (GMT) X-Virus-Scanned: ClamAV 0.94.2/8841/Wed Jan 7 05:09:14 2009 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: Foiling MITM attacks on source and ports trees X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 08:37:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Chad Perrin wrote: | On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote: |> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote: |>> Out-of-band corroboration of a certificate's authenticity is kind of |>> necessary to the security model of SSL/TLS. A self-signed certificate, |>> in and of itself, is not really sufficient to ensure the absence of a man |>> in the middle attack or other compromise of the system. |>> |>> On the other hand, I don't trust Verisign, either. |> In the less virtual world, we only trust governments to provide identity |> papers (manufactured by companies, but still the records are kept and |> verified by a government entity). |> Instead of trying to regulate the internet and provide a penal system, |> governments would do much better taking their responsibility on these issues. |> It shouldn't be so hard to give every citizen the option to "get an online |> certificate corresponding with their passport" and similarly for Chambers of |> Commerce to provide certificates for businesses. | | My distrust of of the certifying authority is not mitigated by replacing | Verisign with FedCorp. Institutional incompetence is typically a result | of bureaucracy -- and even major corporations don't get as mired in | bureaucracy as government. | You're kind of stuck then aren't you -- at least in respect TLS/SSL and x509 certificates? If you don't trust any of the bodies who have the capability to authenticate the owners of a particular cryptographic key/certificate on your behalf, then you're going to have to do that authentication yourself. Which is cool if you happen to know the movers and shakers in the FreeBSD world personally and you can sit down with them and compare key fingerprints. Or even if you can get an introduction to them through a mutual acquaintance. Oh, wait -- I seem to have reinvented the PGP web-of-trust thing. Shame there's nothing quite like it for x509 certificates. The free Thawte service for signing S/MIME certs for individual e-mail users is about the closest, but Thawte is just a wholly owned subsidiary of Verisign, and they going to be stongly motivated not to internally compete with their profitable business of selling expensive web server certificates. Even so, while PGP signatures work well between a normal circle of correspondents, I can't see how they could work practically to authenticate a service designed to be open to the general public. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAklkadAACgkQ8Mjk52CukIzhfQCfVGxx8HBGH/bvWG4VOowDVcTe /78AnR1gDCiA+1kb2agWKC99H54ImW4T =YVhl -----END PGP SIGNATURE-----