Date: Thu, 18 May 2000 01:57:32 -0600 From: Wes Peters <wes@softweyr.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Kris Kennaway <kris@FreeBSD.org>, Robert Watson <rwatson@FreeBSD.org>, Peter Wemm <peter@netplex.com.au>, security@FreeBSD.org Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3923A26C.2E61D1E1@softweyr.com> References: <Pine.NEB.3.96L.1000517091336.20229A-100000@fledge.watson.org> <Pine.BSF.4.21.0005170922460.48263-100000@freefall.freebsd.org> <200005171951.PAA15001@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote:
>
> <<On Wed, 17 May 2000 09:33:19 -0700 (PDT), Kris Kennaway <kris@FreeBSD.org> said:
>
> > On Wed, 17 May 2000, Robert Watson wrote:
>
> >> I do agree that we need to do a CA, but as I've mentioned before, we need
> >> to do it *right* or not at all. This means a secure key storage
> >> mechanism/facility, offline signing key, etc, etc. Rather than grow our
> >> own, it might be easier (and more affordable) to sit on someone else's,
> >> unless BSDi has one already?
>
> > Agreed.
>
> I think it's important to consider that the level of effort required
> to implement maximal assurance may not necessarily be appropriate for
> this project. (It certainly isn't appropriate for my organization,
> and we have 500 people on staff and 6 people working full-time on
> {sys,net}admin.)
Right. Our needs are relatively simple:
o Generate and keep safe a CA key.
o Sign a certificate request for each committer.
o Generate and keep safe a certificate for each "hat".
o Be able to transfer certificates from one person to another when a
new head fills a "hat".
> >> Does anyone know anything about inter-cert-format certification?
> >> I.e., can an x.509 PKI root sign PGP keys in a useful way? Is it
> >> usefully verifiable in an automated way?
>
> > In principle this can be done by extracting a PGP key from the X.509
> > certificate since (AFAIK) it contains (can contain) all of the required
> > bits. I'm not sure if something more direct has been standardized, though.
>
> It would be much easier to simply use an X.509 object signing tool to
> sign the canonicalized PGP key, and vice versa. Or, alternatively,
> dispense with one of the technologies entirely. X.509 for
> privacy-enhanced mail appears to be effectively dead, and has been for
> some time.
There is a lot more than email to be considered here. New SSH keys
for freefall could be much more easily posted on a secure web page
than emailed to the whole world. A simple email indicating the URL
of the page would provide notice.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3923A26C.2E61D1E1>