Date: Wed, 17 Mar 2004 19:05:22 -0500 From: Bob Perry <rperry4@earthlink.net> To: Kris Kennaway <kris@obsecurity.org> Cc: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: Re: PGP Utility? Message-ID: <4058E7C2.6010007@earthlink.net> In-Reply-To: <20040317224343.GA70257@xor.obsecurity.org> References: <405344E5.8090809@earthlink.net> <405363AF.8000108@gmx.at> <4057EC9B.9080102@earthlink.net> <20040317062305.GA59039@xor.obsecurity.org> <4058C1B3.10203@earthlink.net> <20040317224343.GA70257@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: >On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote: > > > >>I'm at the stage now, where I need to validate and certify the Security >>Officer's >>PGP key before I can verify the signature. Documentation suggests >>"...comparing >>the key during a phone call." Later, there is the reality that "If you >>don't know the >>owner of the public key you are really in trouble." >> >>Is there some recommended course to follow when it comes to handling these >>FreeBSD security patches? >> >> > >The point of doing that is that you need to verify to your own >satisfaction that the key that says "FreeBSD Security Officer" really >comes from the FreeBSD Security Officer, and not Joe Evil who is >trying to convince you to run malicious code on your system in the >name of a security patch. > >How much convincing you need is up to you > I think I was born paranoid. Odds are I was looking both ways before even considering poking my head into this world. >- if you are happy with >comparing the key fingerprint included in copies of the documentation, >you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the >copy that was probably installed with your system, or versions on the >web. If you really want to talk to the security officer to verify his >key, you can email him to arrange a phonecall. Of course, then you're >trusting the email and phone system, etc :-) [1] > >Kris > >[1] Security is hard, there are no magic solutions - the best you can >do is to minimize the level of risk to an level that is acceptable to >you. > > That became apparent once I stopped whining. Thanks again, Bob. -- I've learned that whatever hits the fan will not be evenly distributed. FreeBSD 4.9-RELEASE-p2 #0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4058E7C2.6010007>