From owner-freebsd-questions@FreeBSD.ORG Tue Jan 6 19:32:23 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93F78106566B for ; Tue, 6 Jan 2009 19:32:23 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-308.bluehost.com (outbound-mail-308.bluehost.com [67.222.53.254]) by mx1.freebsd.org (Postfix) with SMTP id 61BE38FC19 for ; Tue, 6 Jan 2009 19:32:23 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 15422 invoked by uid 0); 6 Jan 2009 19:29:16 -0000 Received: from unknown (HELO box183.bluehost.com) (69.89.25.183) by outboundproxy6.bluehost.com with SMTP; 6 Jan 2009 19:29:16 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Received:Received:Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=RKTBckpkWz5CsJqP3wAy4rlysNJ4AEw8K6vKddRVSAQCnoXWsfgyMkDyuBVY23KLkm967aVq0RF8jI840XbIFrgreR2pwxiYpWNuFEFpnMj7isnCNaGtWh3pBALPpVVy; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kokopelli.hydra) by box183.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1LKHf7-0000zw-ER for freebsd-questions@freebsd.org; Tue, 06 Jan 2009 12:32:25 -0700 Received: by kokopelli.hydra (sSMTP sendmail emulation); Tue, 6 Jan 2009 12:31:26 -0700 Date: Tue, 6 Jan 2009 12:31:26 -0700 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20090106193126.GA82164@kokopelli.hydra> Mail-Followup-To: freebsd-questions@freebsd.org References: <20090102164412.GA1258@phenom.cordula.ws> <20090103013825.18910bf5@gumby.homeunix.com> <495F5DD7.2070302@infracaninophile.co.uk> <200901052258.39785.fbsd.questions@rachie.is-a-geek.net> <20090106102124.O34151@wojtek.tensor.gdynia.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline In-Reply-To: <20090106102124.O34151@wojtek.tensor.gdynia.pl> User-Agent: Mutt/1.4.2.3i X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: Foiling MITM attacks on source and ports trees X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2009 19:32:24 -0000 --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote: > >>someone like the FreeBSD Foundation as an appropriate body to own the= =20 > >>cert. > > > > > >I would actually trust a self-signed cert by the FreeBSD security office= r, > >more then one by Verisign. > of course. >=20 > there is no need to have an "authority" to make key pairs, everybody do i= t=20 > alone. >=20 > actually i would fear using such keys because i'm sure such companies do= =20 > have a copy of both keys. Out-of-band corroboration of a certificate's authenticity is kind of necessary to the security model of SSL/TLS. A self-signed certificate, in and of itself, is not really sufficient to ensure the absence of a man in the middle attack or other compromise of the system. On the other hand, I don't trust Verisign, either. I believe some steps are being made by the Perpsectives [1] project that lead in the right direction [2]. Unfortunately, it's not available at present for FreeBSD, because the Firefox plugin depends on a binary executable compiled from C, and my (brief) discussion with one of the people involved in the project about the potential of porting it to FreeBSD didn't really bear fruit. NOTES: [1] http://www.cs.cmu.edu/~perspectives/index.html [2] http://blogs.techrepublic.com.com/security/?p#571 --=20 Chad Perrin [ content licensed OWL: http://owl.apotheon.org ] Quoth Anonymous: "Why do we never have time to do it right, but always have time to do it over?" --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkljsY4ACgkQ9mn/Pj01uKUxAgCeLCPrE+khnNP3HAvbNWmOWboq f50AoPjSnQVTa3dWyZKGY7hZ67kPOSd9 =L7Pu -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--