From owner-freebsd-security@FreeBSD.ORG Mon Nov 28 20:51:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 478F916A41F for ; Mon, 28 Nov 2005 20:51:51 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF77243D90 for ; Mon, 28 Nov 2005 20:51:45 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 677DE46B35; Mon, 28 Nov 2005 15:51:40 -0500 (EST) Date: Mon, 28 Nov 2005 20:51:40 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Peter Jeremy In-Reply-To: <20051126224530.GD27757@cirb503493.alcatel.com.au> Message-ID: <20051128204550.Y14247@fledge.watson.org> References: <20051126224530.GD27757@cirb503493.alcatel.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 20:51:51 -0000 On Sun, 27 Nov 2005, Peter Jeremy wrote: > or "How do I know my copy of FreeBSD is the same as yours?" > > I have recently been meditating on the issue of validating X.509 root > certificates. An obvious extension to that is validating FreeBSD > itself. This topic has come up countless times over the years, and one of the recurring debates that comes up with it is what it is the "Project" wants to promise, and whether we want to get into the business of managing lots of keying material. Like or not, the weaker the promises you make, the easier they are to keep :-). The concept of even a security officer key has always made me somewhat nervous -- clearly, this is a "valuable" key, but it's also one that has to be made available to anyone who is going to sign a security advisory. We have persistently signed security advisories, errata notes, and release announcements for the past few years, and the release announcements have included release checksums. I think it would be useful to go quite a bit further, but I think we should be careful to do it for pragmatic reasons, and to be very clear on what it is we are doing by signing things, how hard we are willing to try to protect the keying material, and so on. Robert N M Watson