Date: Wed, 17 May 2000 11:40:51 -0600 From: Wes Peters <wes@softweyr.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au>, committers@FreeBSD.org, security@FreeBSD.org Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3922D9A3.9EEC6033@softweyr.com> References: <Pine.NEB.3.96L.1000517091336.20229A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
>
> [previous material elided because we're in violent agreement]
>
> Now to address Wes's point: I don't believe SSH1 can do certification,
> although I don't know about SSH2.
Oh, I was referrering to certificates for sending S/MIME email.
> At TIS, we have a DNSsec adaptation to
> store host keys in DNS securely, but the secure resolver for BIND9 wasn't
> done last I checked, meaning that an SSH client cannot automatically
> retrieve and verify the host key using DNSsec yet. DNSsec would really be
> an ideal way to distribute host keys for SSH, so I'll push on appropriate
> parties to see if we can finish it up some time soon (really depends on
> the Nominum/ISC folks).
We'll await news from you.
> I do agree that we need to do a CA, but as I've mentioned before, we need
> to do it *right* or not at all. This means a secure key storage
> mechanism/facility, offline signing key, etc, etc. Rather than grow our
> own, it might be easier (and more affordable) to sit on someone else's,
> unless BSDi has one already? Does anyone know anything about
> inter-cert-format certification? I.e., can an x.509 PKI root sign PGP
> keys in a useful way? Is it usefully verifiable in an automated way?
Not that I know of, unless you count sending the PGP keys in an S/MIME
message. I suspect that might be adequate for our needs, but will defer
to the expertise of our resident crypto-heads. My security expertise
runs more towards system configuration and protocol design.
> OpenSSL can handle CA behavior, but there are presumably commercial
> products that can do a much better job in terms to handling key splitting,
> etc. Some comparison shopping and communication
I'm not sure we'll be doing a large enough volume to warrant paying money
for CA services. I guess we'd have to work out a plan for what classes
of persons and/or positions we plan to issue keys/certs to in order to
answer that question. If we're talking about a CA cert, a cert for each
of the "hats", and a cert for each committer individually, that means
right now we'd need to manage about 210 certs, of which 5 or 6 need to
be transferrable.
Plus, I really like the idea of a cert with "The FreeBSD Project" as the
CA. Are we not the most reliable source of information about FreeBSD?
Replies directed to -security, as this has grown out of the scope of
committers. (And because I don't want Sheldon to yell again. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3922D9A3.9EEC6033>