From owner-freebsd-questions@FreeBSD.ORG Tue Jan 6 20:11:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 232F81065672 for ; Tue, 6 Jan 2009 20:11:54 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id CEB218FC1E for ; Tue, 6 Jan 2009 20:11:53 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id 5FC3FAFC1FF; Tue, 6 Jan 2009 11:11:52 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 6 Jan 2009 11:11:52 -0900 User-Agent: KMail/1.9.10 References: <20090102164412.GA1258@phenom.cordula.ws> <20090106102124.O34151@wojtek.tensor.gdynia.pl> <20090106193126.GA82164@kokopelli.hydra> In-Reply-To: <20090106193126.GA82164@kokopelli.hydra> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901061111.52155.fbsd.questions@rachie.is-a-geek.net> Cc: Chad Perrin Subject: Re: Foiling MITM attacks on source and ports trees X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2009 20:11:55 -0000 On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote: > On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote: > > >>someone like the FreeBSD Foundation as an appropriate body to own the > > >>cert. > > > > > > > > >I would actually trust a self-signed cert by the FreeBSD security > > > officer, more then one by Verisign. > > > > of course. > > > > there is no need to have an "authority" to make key pairs, everybody do > > it alone. > > > > actually i would fear using such keys because i'm sure such companies do > > have a copy of both keys. > > Out-of-band corroboration of a certificate's authenticity is kind of > necessary to the security model of SSL/TLS. A self-signed certificate, > in and of itself, is not really sufficient to ensure the absence of a man > in the middle attack or other compromise of the system. > > On the other hand, I don't trust Verisign, either. In the less virtual world, we only trust governments to provide identity papers (manufactured by companies, but still the records are kept and verified by a government entity). Instead of trying to regulate the internet and provide a penal system, governments would do much better taking their responsibility on these issues. It shouldn't be so hard to give every citizen the option to "get an online certificate corresponding with their passport" and similarly for Chambers of Commerce to provide certificates for businesses. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.