From owner-freebsd-questions@FreeBSD.ORG Wed Mar 17 16:04:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81E2D16A4E1 for ; Wed, 17 Mar 2004 16:04:47 -0800 (PST) Received: from bittern.mail.pas.earthlink.net (bittern.mail.pas.earthlink.net [207.217.120.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F20443D3F for ; Wed, 17 Mar 2004 16:04:47 -0800 (PST) (envelope-from rperry4@earthlink.net) Received: from dialup-171.75.72.22.dial1.weehawken.level3.net ([171.75.72.22] helo=earthlink.net) by bittern.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1B3l2y-0000gk-00; Wed, 17 Mar 2004 16:06:05 -0800 Message-ID: <4058E7C2.6010007@earthlink.net> Date: Wed, 17 Mar 2004 19:05:22 -0500 From: Bob Perry User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040313 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kris Kennaway References: <405344E5.8090809@earthlink.net> <405363AF.8000108@gmx.at> <4057EC9B.9080102@earthlink.net> <20040317062305.GA59039@xor.obsecurity.org> <4058C1B3.10203@earthlink.net> <20040317224343.GA70257@xor.obsecurity.org> In-Reply-To: <20040317224343.GA70257@xor.obsecurity.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD-Questions Subject: Re: PGP Utility? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2004 00:04:47 -0000 Kris Kennaway wrote: >On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote: > > > >>I'm at the stage now, where I need to validate and certify the Security >>Officer's >>PGP key before I can verify the signature. Documentation suggests >>"...comparing >>the key during a phone call." Later, there is the reality that "If you >>don't know the >>owner of the public key you are really in trouble." >> >>Is there some recommended course to follow when it comes to handling these >>FreeBSD security patches? >> >> > >The point of doing that is that you need to verify to your own >satisfaction that the key that says "FreeBSD Security Officer" really >comes from the FreeBSD Security Officer, and not Joe Evil who is >trying to convince you to run malicious code on your system in the >name of a security patch. > >How much convincing you need is up to you > I think I was born paranoid. Odds are I was looking both ways before even considering poking my head into this world. >- if you are happy with >comparing the key fingerprint included in copies of the documentation, >you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the >copy that was probably installed with your system, or versions on the >web. If you really want to talk to the security officer to verify his >key, you can email him to arrange a phonecall. Of course, then you're >trusting the email and phone system, etc :-) [1] > >Kris > >[1] Security is hard, there are no magic solutions - the best you can >do is to minimize the level of risk to an level that is acceptable to >you. > > That became apparent once I stopped whining. Thanks again, Bob. -- I've learned that whatever hits the fan will not be evenly distributed. FreeBSD 4.9-RELEASE-p2 #0