Date: Tue, 6 Jan 2009 12:31:26 -0700 From: Chad Perrin <perrin@apotheon.com> To: freebsd-questions@freebsd.org Subject: Re: Foiling MITM attacks on source and ports trees Message-ID: <20090106193126.GA82164@kokopelli.hydra> In-Reply-To: <20090106102124.O34151@wojtek.tensor.gdynia.pl> References: <20090102164412.GA1258@phenom.cordula.ws> <20090103013825.18910bf5@gumby.homeunix.com> <495F5DD7.2070302@infracaninophile.co.uk> <200901052258.39785.fbsd.questions@rachie.is-a-geek.net> <20090106102124.O34151@wojtek.tensor.gdynia.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote: > >>someone like the FreeBSD Foundation as an appropriate body to own the= =20 > >>cert. > > > ><OT> > >I would actually trust a self-signed cert by the FreeBSD security office= r, > >more then one by Verisign. > of course. >=20 > there is no need to have an "authority" to make key pairs, everybody do i= t=20 > alone. >=20 > actually i would fear using such keys because i'm sure such companies do= =20 > have a copy of both keys. Out-of-band corroboration of a certificate's authenticity is kind of necessary to the security model of SSL/TLS. A self-signed certificate, in and of itself, is not really sufficient to ensure the absence of a man in the middle attack or other compromise of the system. On the other hand, I don't trust Verisign, either. I believe some steps are being made by the Perpsectives [1] project that lead in the right direction [2]. Unfortunately, it's not available at present for FreeBSD, because the Firefox plugin depends on a binary executable compiled from C, and my (brief) discussion with one of the people involved in the project about the potential of porting it to FreeBSD didn't really bear fruit. NOTES: [1] http://www.cs.cmu.edu/~perspectives/index.html [2] http://blogs.techrepublic.com.com/security/?p#571 --=20 Chad Perrin [ content licensed OWL: http://owl.apotheon.org ] Quoth Anonymous: "Why do we never have time to do it right, but always have time to do it over?" --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkljsY4ACgkQ9mn/Pj01uKUxAgCeLCPrE+khnNP3HAvbNWmOWboq f50AoPjSnQVTa3dWyZKGY7hZ67kPOSd9 =L7Pu -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090106193126.GA82164>