Date: Wed, 17 May 2000 11:40:51 -0600 From: Wes Peters <wes@softweyr.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au>, committers@FreeBSD.org, security@FreeBSD.org Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3922D9A3.9EEC6033@softweyr.com> References: <Pine.NEB.3.96L.1000517091336.20229A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > > [previous material elided because we're in violent agreement] > > Now to address Wes's point: I don't believe SSH1 can do certification, > although I don't know about SSH2. Oh, I was referrering to certificates for sending S/MIME email. > At TIS, we have a DNSsec adaptation to > store host keys in DNS securely, but the secure resolver for BIND9 wasn't > done last I checked, meaning that an SSH client cannot automatically > retrieve and verify the host key using DNSsec yet. DNSsec would really be > an ideal way to distribute host keys for SSH, so I'll push on appropriate > parties to see if we can finish it up some time soon (really depends on > the Nominum/ISC folks). We'll await news from you. > I do agree that we need to do a CA, but as I've mentioned before, we need > to do it *right* or not at all. This means a secure key storage > mechanism/facility, offline signing key, etc, etc. Rather than grow our > own, it might be easier (and more affordable) to sit on someone else's, > unless BSDi has one already? Does anyone know anything about > inter-cert-format certification? I.e., can an x.509 PKI root sign PGP > keys in a useful way? Is it usefully verifiable in an automated way? Not that I know of, unless you count sending the PGP keys in an S/MIME message. I suspect that might be adequate for our needs, but will defer to the expertise of our resident crypto-heads. My security expertise runs more towards system configuration and protocol design. > OpenSSL can handle CA behavior, but there are presumably commercial > products that can do a much better job in terms to handling key splitting, > etc. Some comparison shopping and communication I'm not sure we'll be doing a large enough volume to warrant paying money for CA services. I guess we'd have to work out a plan for what classes of persons and/or positions we plan to issue keys/certs to in order to answer that question. If we're talking about a CA cert, a cert for each of the "hats", and a cert for each committer individually, that means right now we'd need to manage about 210 certs, of which 5 or 6 need to be transferrable. Plus, I really like the idea of a cert with "The FreeBSD Project" as the CA. Are we not the most reliable source of information about FreeBSD? Replies directed to -security, as this has grown out of the scope of committers. (And because I don't want Sheldon to yell again. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3922D9A3.9EEC6033>