Date: Sat, 8 Mar 2014 17:31:14 -0500 From: grarpamp <grarpamp@gmail.com> To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Secure Infrastructure [Crypto signed ISO images] Message-ID: <CAD2Ti28yxP62DASM6vkzSBagK1wL7BGSp-VqDkK8LWmDC5MRZg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
>>> Cryptografically signed ISO images >>> http://docs.freebsd.org/cgi/mid.cgi?20140302172759.GA4728 >> If the use of [the signed] SHA-2[56] hashes don't provide enough >> assurance that the ISO images are authentic can you explain the >> crypto technology that you are looking for? Signing the ISO's [hashes of same] is a common practice. As is now signing the packages. However, just remember that both of these are only handwavy security bandaids trying to be placed from the periphery in, which is not the way to do things right... Until the FreeBSD project ... (1) moves to a repository such as Git [or something like the even further crypto integrated Monotone], where the repository itself has an internal crypto hash structure that can be signed from the very first initializing commit and upon later commits/tags/branches, etc... and (2) has and uses deterministic reproducible builds for everything flowing downstream from that [the source repo, packages, isos, build servers, rsync/ftp/http distribution servers, web/wiki/forum/mail servers, etc...] ... signing the periphery may look good to the casual observer, but it is ultimately untraceable in any cryptographic sense to the code from which those periphery elements are purported to come from. That's not a good position to be in, and is a clarification regarding discontiguous trust chains that needs pointed out. It also wouldn't hurt to have the repo on ZFS raidzN sha256, ECC ram, etc... if not already. >> if you verified the certificate of https host... ... you probably have more to learn about verification. https://www.eff.org/observatory https://en.wikipedia.org/wiki/Certificate_transparency And let's not forget the needed DNSSEC and IPSEC components. Though 1 and 2 above would be a great start. References... https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details https://wiki.debian.org/ReproducibleBuilds https://gitian.org/ http://git-scm.com/about/distributed http://git-scm.com/about/info-assurance http://www.monotone.ca/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti28yxP62DASM6vkzSBagK1wL7BGSp-VqDkK8LWmDC5MRZg>