From owner-freebsd-security Thu May 18 0:55:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 8DC1F37B511; Thu, 18 May 2000 00:55:37 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id BAA15259; Thu, 18 May 2000 01:55:11 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3923A26C.2E61D1E1@softweyr.com> Date: Thu, 18 May 2000 01:57:32 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: Kris Kennaway , Robert Watson , Peter Wemm , security@FreeBSD.org Subject: Re: HEADS UP: New host key for freefall! References: <200005171951.PAA15001@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > On Wed, 17 May 2000, Robert Watson wrote: > > >> I do agree that we need to do a CA, but as I've mentioned before, we need > >> to do it *right* or not at all. This means a secure key storage > >> mechanism/facility, offline signing key, etc, etc. Rather than grow our > >> own, it might be easier (and more affordable) to sit on someone else's, > >> unless BSDi has one already? > > > Agreed. > > I think it's important to consider that the level of effort required > to implement maximal assurance may not necessarily be appropriate for > this project. (It certainly isn't appropriate for my organization, > and we have 500 people on staff and 6 people working full-time on > {sys,net}admin.) Right. Our needs are relatively simple: o Generate and keep safe a CA key. o Sign a certificate request for each committer. o Generate and keep safe a certificate for each "hat". o Be able to transfer certificates from one person to another when a new head fills a "hat". > >> Does anyone know anything about inter-cert-format certification? > >> I.e., can an x.509 PKI root sign PGP keys in a useful way? Is it > >> usefully verifiable in an automated way? > > > In principle this can be done by extracting a PGP key from the X.509 > > certificate since (AFAIK) it contains (can contain) all of the required > > bits. I'm not sure if something more direct has been standardized, though. > > It would be much easier to simply use an X.509 object signing tool to > sign the canonicalized PGP key, and vice versa. Or, alternatively, > dispense with one of the technologies entirely. X.509 for > privacy-enhanced mail appears to be effectively dead, and has been for > some time. There is a lot more than email to be considered here. New SSH keys for freefall could be much more easily posted on a secure web page than emailed to the whole world. A simple email indicating the URL of the page would provide notice. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message