From owner-freebsd-security  Wed May 17 12:51:40 2000
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id EFBFB37BCB4; Wed, 17 May 2000 12:51:24 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA15001;
	Wed, 17 May 2000 15:51:16 -0400 (EDT)
	(envelope-from wollman)
Date: Wed, 17 May 2000 15:51:16 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200005171951.PAA15001@khavrinen.lcs.mit.edu>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: Robert Watson <rwatson@FreeBSD.org>,
	Wes Peters <wes@softweyr.com>, Peter Wemm <peter@netplex.com.au>,
	security@FreeBSD.org
Subject: Re: HEADS UP: New host key for freefall!
In-Reply-To: <Pine.BSF.4.21.0005170922460.48263-100000@freefall.freebsd.org>
References: <Pine.NEB.3.96L.1000517091336.20229A-100000@fledge.watson.org>
	<Pine.BSF.4.21.0005170922460.48263-100000@freefall.freebsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Wed, 17 May 2000 09:33:19 -0700 (PDT), Kris Kennaway <kris@FreeBSD.org> said:

> On Wed, 17 May 2000, Robert Watson wrote:

>> I do agree that we need to do a CA, but as I've mentioned before, we need
>> to do it *right* or not at all.  This means a secure key storage
>> mechanism/facility, offline signing key, etc, etc.  Rather than grow our
>> own, it might be easier (and more affordable) to sit on someone else's,
>> unless BSDi has one already?

> Agreed.

I think it's important to consider that the level of effort required
to implement maximal assurance may not necessarily be appropriate for
this project.  (It certainly isn't appropriate for my organization,
and we have 500 people on staff and 6 people working full-time on
{sys,net}admin.)

>> Does anyone know anything about inter-cert-format certification?  
>> I.e., can an x.509 PKI root sign PGP keys in a useful way?  Is it
>> usefully verifiable in an automated way?

> In principle this can be done by extracting a PGP key from the X.509
> certificate since (AFAIK) it contains (can contain) all of the required
> bits. I'm not sure if something more direct has been standardized, though.

It would be much easier to simply use an X.509 object signing tool to
sign the canonicalized PGP key, and vice versa.  Or, alternatively,
dispense with one of the technologies entirely.  X.509 for
privacy-enhanced mail appears to be effectively dead, and has been for
some time.

>> I've been pushing on PGP, Inc (my employer) to ship a native FreeBSD
>> version of PGP, not just Linux+everythingelseintheworld, but they push
>> back that they've received none (zero) requests for a FreeBSD port.

Perhaps all the FreeBSD people are using either 2.6.2 or GnuPG, so
they really don't care whether the commercial product exists or not.
I use GnuPG, personally, since then I don't have to worry about any
licensing issues at all.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message