Date: Wed, 17 May 2000 13:09:32 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: security@freebsd.org Cc: Robert Watson <rwatson@FreeBSD.org>, Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au> Subject: Re: HEADS UP: New host key for freefall! Message-ID: <Pine.BSF.4.21.0005171255500.80144-100000@freefall.freebsd.org> In-Reply-To: <3922D9A3.9EEC6033@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 May 2000, Wes Peters wrote: > > Now to address Wes's point: I don't believe SSH1 can do certification, > > although I don't know about SSH2. > > Oh, I was referrering to certificates for sending S/MIME email. In theory PKI can do everything [*]: S/MIME email, PGP signatures, signed SSH hostkeys so you don't have to explicitly verify the new key through out-of-band trusted channels, SSL certificates for secure web services, etc. In theory these formats should all be pretty inter-convertible, since they all contain "enough crypto" (packaged in different ways) to make a decent protocol happy. > I'm not sure we'll be doing a large enough volume to warrant paying money > for CA services. I guess we'd have to work out a plan for what classes > of persons and/or positions we plan to issue keys/certs to in order to > answer that question. If we're talking about a CA cert, a cert for each > of the "hats", and a cert for each committer individually, that means > right now we'd need to manage about 210 certs, of which 5 or 6 need to > be transferrable. The point of a PKI is that you can have a *single* trusted root certificate with all others signed by that one in a hierarchy. In order to root the tree in something which (e.g.) Netscape browsers will automatically understand, we'd need to have at least one key signed by a commercial CA (Verisign, Thawte, ..) which is used as the basis for the FreeBSD PKI, but there's no inherent need for more than one "purchased" certificate. > Plus, I really like the idea of a cert with "The FreeBSD Project" as the > CA. Are we not the most reliable source of information about FreeBSD? Certified signatures are not about verifying the information content of data, it's about verifying the integrity of the message and the authenticity of the signing key. Kris [*] See however http://www.counterpane.com/pki-risks.html ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005171255500.80144-100000>