From owner-freebsd-security  Wed May 17 13:30:48 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0DF9437BCE8; Wed, 17 May 2000 13:30:46 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA89882;
	Wed, 17 May 2000 13:30:46 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Wed, 17 May 2000 13:30:45 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: security@FreeBSD.ORG, Robert Watson <rwatson@FreeBSD.ORG>,
	Darren Reed <darrenr@reed.wattle.id.au>,
	Peter Wemm <peter@netplex.com.au>
Subject: Re: HEADS UP: New host key for freefall!
In-Reply-To: <200005172017.QAA26098@khavrinen.lcs.mit.edu>
Message-ID: <Pine.BSF.4.21.0005171327260.89284-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 17 May 2000, Garrett Wollman wrote:

> > The point of a PKI is that you can have a *single* trusted root
> > certificate with all others signed by that one in a hierarchy. In order to
> > root the tree in something which (e.g.) Netscape browsers will
> > automatically understand, we'd need to have at least one key signed by a
> > commercial CA (Verisign, Thawte, ..) 
> 
> ...who are generally unwilling to sign CA certificates, and when they
> are, charge very large sums of money to do so.  This is why most

Hmm, I didnt think of this.

> organizations which use X.509 for internal authentication purposes 
> run their own CAs and deploy customized Web-browser installations
> which come with the appropriate CA certs preinstalled.  (My employer,
> which owns tens of thousands of computers and has almost as many
> employees, does this.  People who install the ``latest and greatest''
> browser from wherever don't get support.)

We could implement this without too much trouble by shipping the root cert
on CD with FreeBSD releases (and having some kind of online distribution
method, perhaps signed by a bunch of PGP keys) and instructing people on
how to load it into netscape (if it were to be used for https purposes).
Perhaps we could even make the netscape port pre-load it - we already have
the infrastructure for customizing netscape prior to use.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message