From owner-freebsd-security Thu May 18 8:54:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id D128637B50D for ; Thu, 18 May 2000 08:54:41 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA05366; Thu, 18 May 2000 11:54:31 -0400 (EDT) (envelope-from wollman) Date: Thu, 18 May 2000 11:54:31 -0400 (EDT) From: Garrett Wollman Message-Id: <200005181554.LAA05366@khavrinen.lcs.mit.edu> To: Wes Peters Cc: security@FreeBSD.org Subject: CAs (was: Re: HEADS UP: New host key for freefall!) In-Reply-To: <3923A26C.2E61D1E1@softweyr.com> References: <200005171951.PAA15001@khavrinen.lcs.mit.edu> <3923A26C.2E61D1E1@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Right. Our needs are relatively simple: > o Generate and keep safe a CA key. Sure. > o Sign a certificate request for each committer. I don't see that this is necessary or useful. > o Generate and keep safe a certificate for each "hat". Generate and keep safe a *key* for each role account. The certificate itself is by design public knowledge. > o Be able to transfer certificates from one person to another when a > new head fills a "hat". Again, s/certificate/key/g. > There is a lot more than email to be considered here. New SSH keys > for freefall could be much more easily posted on a secure web page > than emailed to the whole world. But doing so wouldn't prove anything. In a case like this, the new key needs to be vouched for by a specific person: the person who installed the new key (in this case, the root@FreeBSD.org role account). In such a circumstance, X.509 has little advantage and lots of unnecessary complexity and cost over something like PGP. -GAWollman -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message