Date: Thu, 18 May 2000 01:57:32 -0600 From: Wes Peters <wes@softweyr.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Kris Kennaway <kris@FreeBSD.org>, Robert Watson <rwatson@FreeBSD.org>, Peter Wemm <peter@netplex.com.au>, security@FreeBSD.org Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3923A26C.2E61D1E1@softweyr.com> References: <Pine.NEB.3.96L.1000517091336.20229A-100000@fledge.watson.org> <Pine.BSF.4.21.0005170922460.48263-100000@freefall.freebsd.org> <200005171951.PAA15001@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote: > > <<On Wed, 17 May 2000 09:33:19 -0700 (PDT), Kris Kennaway <kris@FreeBSD.org> said: > > > On Wed, 17 May 2000, Robert Watson wrote: > > >> I do agree that we need to do a CA, but as I've mentioned before, we need > >> to do it *right* or not at all. This means a secure key storage > >> mechanism/facility, offline signing key, etc, etc. Rather than grow our > >> own, it might be easier (and more affordable) to sit on someone else's, > >> unless BSDi has one already? > > > Agreed. > > I think it's important to consider that the level of effort required > to implement maximal assurance may not necessarily be appropriate for > this project. (It certainly isn't appropriate for my organization, > and we have 500 people on staff and 6 people working full-time on > {sys,net}admin.) Right. Our needs are relatively simple: o Generate and keep safe a CA key. o Sign a certificate request for each committer. o Generate and keep safe a certificate for each "hat". o Be able to transfer certificates from one person to another when a new head fills a "hat". > >> Does anyone know anything about inter-cert-format certification? > >> I.e., can an x.509 PKI root sign PGP keys in a useful way? Is it > >> usefully verifiable in an automated way? > > > In principle this can be done by extracting a PGP key from the X.509 > > certificate since (AFAIK) it contains (can contain) all of the required > > bits. I'm not sure if something more direct has been standardized, though. > > It would be much easier to simply use an X.509 object signing tool to > sign the canonicalized PGP key, and vice versa. Or, alternatively, > dispense with one of the technologies entirely. X.509 for > privacy-enhanced mail appears to be effectively dead, and has been for > some time. There is a lot more than email to be considered here. New SSH keys for freefall could be much more easily posted on a secure web page than emailed to the whole world. A simple email indicating the URL of the page would provide notice. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3923A26C.2E61D1E1>