Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 07 Jan 2009 08:37:37 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: Foiling MITM attacks on source and ports trees
Message-ID:  <496469D1.4060600@infracaninophile.co.uk>
In-Reply-To: <20090107072227.GA84869@kokopelli.hydra>
References:  <20090102164412.GA1258@phenom.cordula.ws>	<20090106102124.O34151@wojtek.tensor.gdynia.pl>	<20090106193126.GA82164@kokopelli.hydra>	<200901061111.52155.fbsd.questions@rachie.is-a-geek.net> <20090107072227.GA84869@kokopelli.hydra>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Chad Perrin wrote:
| On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
|> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
|>> Out-of-band corroboration of a certificate's authenticity is kind of
|>> necessary to the security model of SSL/TLS.  A self-signed certificate,
|>> in and of itself, is not really sufficient to ensure the absence of a man
|>> in the middle attack or other compromise of the system.
|>>
|>> On the other hand, I don't trust Verisign, either.
|> In the less virtual world, we only trust governments to provide identity
|> papers (manufactured by companies, but still the records are kept and
|> verified by a government entity).
|> Instead of trying to regulate the internet and provide a penal system,
|> governments would do much better taking their responsibility on these
issues.
|> It shouldn't be so hard to give every citizen the option to "get an online
|> certificate corresponding with their passport" and similarly for
Chambers of
|> Commerce to provide certificates for businesses.
|
| My distrust of of the certifying authority is not mitigated by replacing
| Verisign with FedCorp.  Institutional incompetence is typically a result
| of bureaucracy -- and even major corporations don't get as mired in
| bureaucracy as government.
|

You're kind of stuck then aren't you -- at least in respect TLS/SSL and
x509 certificates?  If you don't trust any of the bodies who have the
capability to authenticate the owners of a particular cryptographic
key/certificate on your behalf, then you're going to have to do that
authentication yourself.  Which is cool if you happen to know the movers
and shakers in the FreeBSD world personally and you can sit down with them
and compare key fingerprints.  Or even if you can get an introduction to
them through a mutual acquaintance.

Oh, wait -- I seem to have reinvented the PGP web-of-trust thing.  Shame
there's nothing quite like it for x509 certificates.  The free Thawte
service for signing S/MIME certs for individual e-mail users is about the
closest, but Thawte is just a wholly owned subsidiary of Verisign, and
they going to be stongly motivated not to internally compete with their
profitable business of selling expensive web server certificates.

Even so, while PGP signatures work well between a normal circle of
correspondents, I can't see how they could work practically to
authenticate a service designed to be open to the general public.

	Cheers,

	Matthew

- --
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
~                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
~                                                      Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAklkadAACgkQ8Mjk52CukIzhfQCfVGxx8HBGH/bvWG4VOowDVcTe
/78AnR1gDCiA+1kb2agWKC99H54ImW4T
=YVhl
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?496469D1.4060600>