From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 12:29:56 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF0BF16A420; Thu, 1 Dec 2005 12:29:56 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06E3E43D53; Thu, 1 Dec 2005 12:29:55 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9428246BCF; Thu, 1 Dec 2005 07:29:54 -0500 (EST) Date: Thu, 1 Dec 2005 12:29:54 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Peter Jeremy In-Reply-To: <20051130181530.GE32006@cirb503493.alcatel.com.au> Message-ID: <20051201115100.M95395@fledge.watson.org> References: <20051127182116.GA30426@cirb503493.alcatel.com.au> <000e01c5f410$2de67820$1300110a@pooptop> <20051130144343.od5die60gsw4k0k0@netchild.homeip.net> <20051130181530.GE32006@cirb503493.alcatel.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Kurt Seifried , Alexander Leidinger Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 12:29:56 -0000 On Thu, 1 Dec 2005, Peter Jeremy wrote: >> But this assumes the signer trusts the FreeBSD.org security: > > If you don't trust the FreeBSD Project you wouldn't run FreeBSD. > >> Without ssh access there's no way to insert a key into the CVS >> repository. > > Assuming no security holes in the infrastructure... How can I tell that > my private copy of the FreeBSD Project's CVS repository is the same as > the one on whatever.FreeBSD.org? I think this is actually the real core of the issue: what we want is improved confidence of safe delivery in the presence of limited attackers on the wire. That is, we would like to be able to tell the user that, yes, if they managed to get a first FreeBSD ISO in some uncorrupted form (from a trusted vendor, or even from an initially insecure download, which is what 99% will be), from then on they will get source updates generated using keying material that matches something on that ISO, only packages that generated using keying material that matches something on that ISO, etc. I agree with the basic concept that, despite the infrastructural complexities and desire to avoid promising more than we can really provide, that there are incremental transport and packaging improvements we can make that will provide for safer delivery of our parts to the user. Whether it's using portsnap's signature mechanism, signatures on packages, an https download option for pulling down updates, SSL wrappings for cvsup, or whatever, it seems like we can do better. If we do go down the route of things like https, X509, and all that I think we should be very careful to distinguish the CERT chain and roots used for our own purposes, and for normal SSL use, such that if our update chain or package chain is compromised, it doesn't mean a FreeBSD user is immediately vulnerable to more general SSL attacks against other entities (ie., www.mybank.com). Robert N M Watson