Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Jan 2009 12:31:26 -0700
From:      Chad Perrin <perrin@apotheon.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Foiling MITM attacks on source and ports trees
Message-ID:  <20090106193126.GA82164@kokopelli.hydra>
In-Reply-To: <20090106102124.O34151@wojtek.tensor.gdynia.pl>
References:  <20090102164412.GA1258@phenom.cordula.ws> <20090103013825.18910bf5@gumby.homeunix.com> <495F5DD7.2070302@infracaninophile.co.uk> <200901052258.39785.fbsd.questions@rachie.is-a-geek.net> <20090106102124.O34151@wojtek.tensor.gdynia.pl>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--9jxsPFA5p3P2qPhR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
> >>someone like the FreeBSD Foundation as an appropriate body to own the=
=20
> >>cert.
> >
> ><OT>
> >I would actually trust a self-signed cert by the FreeBSD security office=
r,
> >more then one by Verisign.
> of course.
>=20
> there is no need to have an "authority" to make key pairs, everybody do i=
t=20
> alone.
>=20
> actually i would fear using such keys because i'm sure such companies do=
=20
> have a copy of both keys.

Out-of-band corroboration of a certificate's authenticity is kind of
necessary to the security model of SSL/TLS.  A self-signed certificate,
in and of itself, is not really sufficient to ensure the absence of a man
in the middle attack or other compromise of the system.

On the other hand, I don't trust Verisign, either.

I believe some steps are being made by the Perpsectives [1] project that
lead in the right direction [2].  Unfortunately, it's not available at
present for FreeBSD, because the Firefox plugin depends on a binary
executable compiled from C, and my (brief) discussion with one of the
people involved in the project about the potential of porting it to
FreeBSD didn't really bear fruit.


NOTES:
[1] http://www.cs.cmu.edu/~perspectives/index.html
[2] http://blogs.techrepublic.com.com/security/?p#571

--=20
Chad Perrin [ content licensed OWL: http://owl.apotheon.org ]
Quoth Anonymous: "Why do we never have time to do it right, but always
have time to do it over?"

--9jxsPFA5p3P2qPhR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkljsY4ACgkQ9mn/Pj01uKUxAgCeLCPrE+khnNP3HAvbNWmOWboq
f50AoPjSnQVTa3dWyZKGY7hZ67kPOSd9
=L7Pu
-----END PGP SIGNATURE-----

--9jxsPFA5p3P2qPhR--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20090106193126.GA82164>