Date: Thu, 18 May 2000 02:01:44 -0600 From: Wes Peters <wes@softweyr.com> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG, Robert Watson <rwatson@FreeBSD.ORG>, Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au> Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3923A366.A309CED9@softweyr.com> References: <Pine.BSF.4.21.0005171255500.80144-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
>
> On Wed, 17 May 2000, Wes Peters wrote:
>
> > > Now to address Wes's point: I don't believe SSH1 can do certification,
> > > although I don't know about SSH2.
> >
> > Oh, I was referrering to certificates for sending S/MIME email.
>
> In theory PKI can do everything [*]: S/MIME email, PGP signatures, signed
> SSH hostkeys so you don't have to explicitly verify the new key through
> out-of-band trusted channels, SSL certificates for secure web services,
> etc. In theory these formats should all be pretty inter-convertible, since
> they all contain "enough crypto" (packaged in different ways) to make a
> decent protocol happy.
>
> > I'm not sure we'll be doing a large enough volume to warrant paying money
> > for CA services. I guess we'd have to work out a plan for what classes
> > of persons and/or positions we plan to issue keys/certs to in order to
> > answer that question. If we're talking about a CA cert, a cert for each
> > of the "hats", and a cert for each committer individually, that means
> > right now we'd need to manage about 210 certs, of which 5 or 6 need to
> > be transferrable.
>
> The point of a PKI is that you can have a *single* trusted root
> certificate with all others signed by that one in a hierarchy. In order to
> root the tree in something which (e.g.) Netscape browsers will
> automatically understand, we'd need to have at least one key signed by a
> commercial CA (Verisign, Thawte, ..) which is used as the basis for the
> FreeBSD PKI, but there's no inherent need for more than one "purchased"
> certificate.
It is quite simple to add a CA to your browser, I've done it at work
several times this week. ;^) Also, there is more than just the
browser at stake here; when I finish my work on pkg_add it will be
able to accept and verify signed packages. How much checking of the
certificate we choose to do is up for grabs.
> > Plus, I really like the idea of a cert with "The FreeBSD Project" as the
> > CA. Are we not the most reliable source of information about FreeBSD?
>
> Certified signatures are not about verifying the information content of
> data, it's about verifying the integrity of the message and the
> authenticity of the signing key.
Exactly.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3923A366.A309CED9>