Date: Wed, 17 May 2000 12:11:50 -0700 (PDT) From: "Duane H. Hesser" <dhh@androcles.com> To: security@FreeBSD.ORG Subject: Re: HEADS UP: New host key for freefall! Message-ID: <XFMail.000517121150.dhh@androcles.com> In-Reply-To: <3922D9A3.9EEC6033@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to bust in in the middle like this. This is the first message on this topic I've seen, so I haven't seen the "previous material", thus the comments/questions below may be irrelevant to the discussion at hand (if so, please forgive the intrusion). For some time, I have had an interest SDSI (Simple Distributed Security Infrastructure) by Ronald Rivest and Butler Lampson. It has a simple elegance which appeals to me, although I have not yet had much opportunity to work with it. Would this infrastructure be of interest in your current discussion? For those who are not familiar with it yet, the following links may be of interest: http://theory.lcs.mit.edu/~rivest/sdsi10.html (just scan the Overview to get the concept) The "top" page, from which distributions and related papers may be accessed is http://theory.lcs.mit.edu/~cis/sdsi.html SDSI has been integrated with SPKI in the past year or so; there's even a Java implementation for those inclined in that direction. If this is out of scope for your current discussion, I'd still be interested in hearing comments (positive or negative) from anyone inclined. Now back to your regularly scheduled programming... On 17-May-00 Wes Peters wrote: > Robert Watson wrote: >> >> [previous material elided because we're in violent agreement] >> >> Now to address Wes's point: I don't believe SSH1 can do certification, >> although I don't know about SSH2. > > Oh, I was referrering to certificates for sending S/MIME email. > >> At TIS, we have a DNSsec adaptation to >> store host keys in DNS securely, but the secure resolver for BIND9 wasn't >> done last I checked, meaning that an SSH client cannot automatically >> retrieve and verify the host key using DNSsec yet. DNSsec would really be >> an ideal way to distribute host keys for SSH, so I'll push on appropriate >> parties to see if we can finish it up some time soon (really depends on >> the Nominum/ISC folks). > > We'll await news from you. > >> I do agree that we need to do a CA, but as I've mentioned before, we need >> to do it *right* or not at all. This means a secure key storage >> mechanism/facility, offline signing key, etc, etc. Rather than grow our >> own, it might be easier (and more affordable) to sit on someone else's, >> unless BSDi has one already? Does anyone know anything about >> inter-cert-format certification? I.e., can an x.509 PKI root sign PGP >> keys in a useful way? Is it usefully verifiable in an automated way? > > Not that I know of, unless you count sending the PGP keys in an S/MIME > message. I suspect that might be adequate for our needs, but will defer > to the expertise of our resident crypto-heads. My security expertise > runs more towards system configuration and protocol design. > >> OpenSSL can handle CA behavior, but there are presumably commercial >> products that can do a much better job in terms to handling key splitting, >> etc. Some comparison shopping and communication > > I'm not sure we'll be doing a large enough volume to warrant paying money > for CA services. I guess we'd have to work out a plan for what classes > of persons and/or positions we plan to issue keys/certs to in order to > answer that question. If we're talking about a CA cert, a cert for each > of the "hats", and a cert for each committer individually, that means > right now we'd need to manage about 210 certs, of which 5 or 6 need to > be transferrable. > > Plus, I really like the idea of a cert with "The FreeBSD Project" as the > CA. Are we not the most reliable source of information about FreeBSD? > > Replies directed to -security, as this has grown out of the scope of > committers. (And because I don't want Sheldon to yell again. ;^) > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -------------- Duane H. Hesser dhh@androcles.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000517121150.dhh>