From owner-freebsd-questions@FreeBSD.ORG Thu May 8 06:23:27 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E6AE8AD1 for ; Thu, 8 May 2014 06:23:26 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8F20218A for ; Thu, 8 May 2014 06:23:26 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s486NFQq048913 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 8 May 2014 07:23:15 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: lucid-nonsense.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s486NFQq048913 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1399530195; bh=QcbrHdny2nG1JW3JulZPj5B05g7p6LEdnPBXEO8NXzU=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Thu,=2008=20May=202014=2007:23:14=20+0100|From:=20Matthew =20Seaman=20|To:=20freebsd-questi ons@freebsd.org|Subject:=20Re:=20svn=20https=20access|References:= 20|In-Reply-To:=20; b=M6X+HxymDByaa0nn7vnVXiGxLQIjoE2CsRVI31vf0qp5T+NKrV5zURA2zHqAZiziE kHiroVkFPaVQWAwiLQegwtSYwaCsZ2RomY0VXuSX068jxapkE74zFAHDLdO+c94ilt 0zbAWoak1k74bKQ7DGqSqhpH9hycNvNAgNpR9/cA= Message-ID: <536B22D2.3060503@infracaninophile.co.uk> Date: Thu, 08 May 2014 07:23:14 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: svn https access References: In-Reply-To: X-Enigmail-Version: 1.6 OpenPGP: id=E7F39EBF Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Aj2fr6QkTrXSSFrubmTBVXEKQQ2PFvKGk" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2014 06:23:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Aj2fr6QkTrXSSFrubmTBVXEKQQ2PFvKGk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/05/2014 21:46, pete wright wrote: > loading that site in firefox gives a warning indicating that the CA is > not registered as well. is this done on purpose? kind of hesitant to > enable pkg fingerprints on my nodes if i could be using a potentially > forged fingerprint. In principle, now that freebsd.org is DNSSEC enabled, any SSL key can be securely identified as belonging to the FreeBSD project by including a key digest in the DNS. See RFC 6698. However I can't seem to find any TLSA records associated with 'svn.freebsd.org' or 'svn0.us-east.freebsd.org' [*] or 'svnmir.nyi.freebsd.org'. This method has the advantage that you don't need to spend money buying certs from CAs. However, support in browsers and other software is going to be patchy at best, so manual verification will be necessary. Cheers, Matthew [*] A CNAME, so there couldn't be a TLSA record anyhow. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matthew@infracaninophile.co.uk --Aj2fr6QkTrXSSFrubmTBVXEKQQ2PFvKGk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTayLTXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATBX8P/0V1ntCv6xHGnLB9JxbYGXxA ddJOgPA+G4B0CNJbkhPKGo6RqLDLVsr0L76/oDMebOssuuMs56/XiqZXbdUNv7Ar YdsU62D4MRmM/d3gw07a3+SdGVObQlnLmwiJVbrpbdmJvGp2AyId2mNkEV4MnWlw 2wCnrhKpTOQj0j13Qe9y6z1q3MzP8KQCU+2AL3RQ2/yLB7ZMVMtZ2ChHCqBHsCBZ 4ua1QE0F20Wl9GpEascB3gnistXeHVoNmG7GskLbbJX8TeAgVVnxjAcYnvD9urDL hba/0qnHChCeceNbtidefG5+swjNFRxCVLhMDxI+4aDChR6VVmB8uli0oxC19RGt eDAXTk6N4FwVwBe2ny6AlP432VsZ/3lmlFP6YVP/kRTpTT4dZKud/19Min2DA4ac 7H3QnX6RXHDry+Q1VJCJt+6Z/AhQOONJGhRlYAtQHwRqCn0nv6M2nCQX16MKP7e8 nIwx4Ld0aUiMi7Srdc5dgrXxi1B929tSLBYP3iAI5qJIhzZDYUfwOflxMezzuYZe XJ5phyMd9zA4maERTgWe5xmcUZ5kvaA6tSyar/PYgmAZ16rzeDZCXMaalGxs3fH8 TgAUr27pe7cVIovSz4rQlJ2ZiA9QPzsVToR5ysVGnL0lbcABofizOyDIlDcFHiTU FSH2hJFaaSkbG1smt/mu =TMPP -----END PGP SIGNATURE----- --Aj2fr6QkTrXSSFrubmTBVXEKQQ2PFvKGk--