Date: Wed, 17 Mar 2004 14:43:43 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Bob Perry <rperry4@earthlink.net> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: PGP Utility? Message-ID: <20040317224343.GA70257@xor.obsecurity.org> In-Reply-To: <4058C1B3.10203@earthlink.net> References: <405344E5.8090809@earthlink.net> <405363AF.8000108@gmx.at> <4057EC9B.9080102@earthlink.net> <20040317062305.GA59039@xor.obsecurity.org> <4058C1B3.10203@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote: > I'm at the stage now, where I need to validate and certify the Security= =20 > Officer's=20 > PGP key before I can verify the signature. Documentation suggests=20 > "...comparing > the key during a phone call." Later, there is the reality that "If you= =20 > don't know the > owner of the public key you are really in trouble." >=20 > Is there some recommended course to follow when it comes to handling these > FreeBSD security patches? The point of doing that is that you need to verify to your own satisfaction that the key that says "FreeBSD Security Officer" really comes from the FreeBSD Security Officer, and not Joe Evil who is trying to convince you to run malicious code on your system in the name of a security patch. How much convincing you need is up to you - if you are happy with comparing the key fingerprint included in copies of the documentation, you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the copy that was probably installed with your system, or versions on the web. If you really want to talk to the security officer to verify his key, you can email him to arrange a phonecall. Of course, then you're trusting the email and phone system, etc :-) [1] Kris [1] Security is hard, there are no magic solutions - the best you can do is to minimize the level of risk to an level that is acceptable to you. --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAWNSeWry0BWjoQKURAhcjAJ4zXu+XOtwOj8Alh7sVeNhnKpIYrQCg6MQa sD9elngCfpfUPLOfyuBmPUs= =31nU -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040317224343.GA70257>