From owner-freebsd-security@freebsd.org Tue Dec 12 12:59:56 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6443E97DBA for ; Tue, 12 Dec 2017 12:59:56 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id A32CC7B50A for ; Tue, 12 Dec 2017 12:59:56 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 0AF21273B4; Tue, 12 Dec 2017 12:59:54 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCCxcEb079569 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 12:59:38 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCCxati079568; Tue, 12 Dec 2017 12:59:36 GMT (envelope-from phk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <86d13kgnfh.fsf@desk.des.no> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <79566.1513083576.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 12:59:36 +0000 Message-ID: <79567.1513083576@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 12:59:57 -0000 -------- In message <86d13kgnfh.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >"Poul-Henning Kamp" writes: >> The only realistic way for the FreeBSD project to implement end-to-end >> trust, is HTTPS with a self-signed cert, distributed and verified >> using the projects PGP-trust-mesh and strong social network. > >Your suggestion does not remove implicit and possibly misplaced trust, >it just moves it from one place to another. Instead of trusting a >certificate authority and DNS, you trust the source of the public key, >and probably also DNS. As always, it boils down to a) key distribution >is hard and b) what's your threat model? I don't think I agree with any of that ? With respect to authenticity of the FreeBSD SVN repo I cannot imagine anybody else being even one percent as qualified and trustworth as the FreeBSD projects own core-team. In particular I would never trust any "In the CA-racket for the money" organization to do so. If you are worried that the FreeBSD project "staff" cannot handle a root-cert competently, then the exposure is no smaller or larger than if it was a CA-signed cert they fumbled. Trusting DNS doesn't apply it if the project root-cert was stored on my local machine after I used my best judgement of PGP signatures to conclude that it was authentic. And I don't really see distribution of this particular key being difficult at all: We already PGP sign release checksums for authenticity and it the FreeBSD root-cert is just another file to get same treatment. Poul-Henning -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .