Date: Thu, 18 May 2000 02:01:44 -0600 From: Wes Peters <wes@softweyr.com> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG, Robert Watson <rwatson@FreeBSD.ORG>, Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au> Subject: Re: HEADS UP: New host key for freefall! Message-ID: <3923A366.A309CED9@softweyr.com> References: <Pine.BSF.4.21.0005171255500.80144-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > > On Wed, 17 May 2000, Wes Peters wrote: > > > > Now to address Wes's point: I don't believe SSH1 can do certification, > > > although I don't know about SSH2. > > > > Oh, I was referrering to certificates for sending S/MIME email. > > In theory PKI can do everything [*]: S/MIME email, PGP signatures, signed > SSH hostkeys so you don't have to explicitly verify the new key through > out-of-band trusted channels, SSL certificates for secure web services, > etc. In theory these formats should all be pretty inter-convertible, since > they all contain "enough crypto" (packaged in different ways) to make a > decent protocol happy. > > > I'm not sure we'll be doing a large enough volume to warrant paying money > > for CA services. I guess we'd have to work out a plan for what classes > > of persons and/or positions we plan to issue keys/certs to in order to > > answer that question. If we're talking about a CA cert, a cert for each > > of the "hats", and a cert for each committer individually, that means > > right now we'd need to manage about 210 certs, of which 5 or 6 need to > > be transferrable. > > The point of a PKI is that you can have a *single* trusted root > certificate with all others signed by that one in a hierarchy. In order to > root the tree in something which (e.g.) Netscape browsers will > automatically understand, we'd need to have at least one key signed by a > commercial CA (Verisign, Thawte, ..) which is used as the basis for the > FreeBSD PKI, but there's no inherent need for more than one "purchased" > certificate. It is quite simple to add a CA to your browser, I've done it at work several times this week. ;^) Also, there is more than just the browser at stake here; when I finish my work on pkg_add it will be able to accept and verify signed packages. How much checking of the certificate we choose to do is up for grabs. > > Plus, I really like the idea of a cert with "The FreeBSD Project" as the > > CA. Are we not the most reliable source of information about FreeBSD? > > Certified signatures are not about verifying the information content of > data, it's about verifying the integrity of the message and the > authenticity of the signing key. Exactly. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3923A366.A309CED9>