Date: Mon, 28 Nov 2005 20:51:40 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Peter Jeremy <PeterJeremy@optushome.com.au> Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust Message-ID: <20051128204550.Y14247@fledge.watson.org> In-Reply-To: <20051126224530.GD27757@cirb503493.alcatel.com.au> References: <20051126224530.GD27757@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Nov 2005, Peter Jeremy wrote: > or "How do I know my copy of FreeBSD is the same as yours?" > > I have recently been meditating on the issue of validating X.509 root > certificates. An obvious extension to that is validating FreeBSD > itself. This topic has come up countless times over the years, and one of the recurring debates that comes up with it is what it is the "Project" wants to promise, and whether we want to get into the business of managing lots of keying material. Like or not, the weaker the promises you make, the easier they are to keep :-). The concept of even a security officer key has always made me somewhat nervous -- clearly, this is a "valuable" key, but it's also one that has to be made available to anyone who is going to sign a security advisory. We have persistently signed security advisories, errata notes, and release announcements for the past few years, and the release announcements have included release checksums. I think it would be useful to go quite a bit further, but I think we should be careful to do it for pragmatic reasons, and to be very clear on what it is we are doing by signing things, how hard we are willing to try to protect the keying material, and so on. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051128204550.Y14247>