Date: Sun, 27 Nov 2005 09:45:30 +1100 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: freebsd-security@freebsd.org Subject: Reflections on Trusting Trust Message-ID: <20051126224530.GD27757@cirb503493.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
--lCAWRPmW1mITcIfM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable or "How do I know my copy of FreeBSD is the same as yours?" I have recently been meditating on the issue of validating X.509 root certificates. An obvious extension to that is validating FreeBSD itself. Under "The Cutting Edge", the handbook lists 3 methods of synchronising your personal copy of FreeBSD with the Project's copy: Anonymous CVS, CTM and CVSup. There are two CTM modes (e-mail and FTP) and you can also download or buy ISOs. Of these six options, only CTM via e-mail has a digital signature, though the ISO checksums can be compared against the signed release announcements. Physical ISOs are a tricky subject - by trusting the content, I am implicitly trusting the vendor (Walnut Creek, Wind River in the past and (eg) FreeBSD Mall now). The FreeBSD project appears to have three official keys: 1) FreeBSD Security Officer (0xCA6CDFB2) 2) Core Team Secretary (0xFF8AE305) 3) CTM e-mail (0xC380B4D8) Of these, only the Security Officer's key has a wide assortment of signatures - providing a reasonably likelihood that an arbitrary person will be able to integrate it into their PGP web-of-trust. The Core Team secretary's key is only signed by four people other than the current secretary - this is somewhat marginal. The CTM key has only a single signature. This is manifestly inadequate. At the very least, the key should be signed by the person who is running the CTM service. The FreeBSD release announcements are currently signed personally by the Release Engineer. IMHO, there should be a FreeBSD Release Engineering key that is used for these announcements. I have also been unable to locate any published information regarding the protection of or access to the private keys for the above. Finally, FreeBSD is dependent on the protection of its DNS entries. Many years ago, I asked about the DNS servers and got a response that I found acceptable. Based on a recent check, I suspect that things have changed - it looks like ns0.freebsd.org is now part of Yahoo. Overall, I believe FreeBSD could be improved by: - Formulating and promulgating a policy for the protection and use of FreeBSD Project DNS, keys and certificates. (The public version of the policy does not go into explicit details but should allow an independent observer to verify its adequacy). - Creating a FreeBSD Release Engineering key which is used to sign official e-mails from the release engineering team - in particular -RELEASE announcements. - Tying all the FreeBSD Project keys together by cross-signing them all. - Arranging for a wider range of signatures on FreeBSD Project keys (the SO key's already meets this). - Investigate obtaining a X.509 certificate for the FreeBSD Project - Signing ISO images with a Project key and/or certificate in addition to providing MD5 checksums. - Investigate providing authenticated protocols for updating FreeBSD. --=20 Peter Jeremy --lCAWRPmW1mITcIfM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDiOWJ/opHv/APuIcRAn9rAKCw59VKo1RbWwzjTc8XYq9rK7I8vQCfTBaG HhPsaAi6/nALm+brUw/9Lyo= =YP4A -----END PGP SIGNATURE----- --lCAWRPmW1mITcIfM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051126224530.GD27757>