From owner-freebsd-security@FreeBSD.ORG Tue Nov 29 20:49:24 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDD5416A420 for ; Tue, 29 Nov 2005 20:49:24 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: from galois.wahtec.com.br (galois.wahtec.com.br [200.96.65.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id D28CA43D79 for ; Tue, 29 Nov 2005 20:49:20 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: (qmail 29408 invoked by uid 98); 29 Nov 2005 20:53:07 -0000 Received: from 127.0.0.1 by brasil.intranet (envelope-from , uid 1024) with qmail-scanner-1.24 (f-prot: 4.4.7/3.14.13. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.108622 secs); 29 Nov 2005 20:53:07 -0000 X-Qmail-Scanner-Mail-From: suporte@wahtec.com.br via brasil.intranet X-Qmail-Scanner: 1.24 (Clear:RC:1(127.0.0.1):. Processed in 0.108622 secs) Received: from unknown (HELO rickderringer) (arisjr@unknown) by unknown with SMTP; 29 Nov 2005 20:53:07 -0000 Message-ID: <000201c5f526$5a000400$e403000a@rickderringer> From: "aristeu" To: Date: Tue, 29 Nov 2005 18:49:11 -0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: RE: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 20:49:25 -0000 > Can you explain what you mean here. Virtually all distfiles needed to > build a port have MD5 and maybe SHA-256 hashes embedded in the ports > tree. The only way to easily circumvent these is to subvert the ports > tree - which gets back to the issue of trusting the FreeBSD distribution. > I agree that there's currently no integrity checking on packages. > (And, BTW, tar has no integrity checks). Anyone who is between you and freebsd cvsup server can make his own ports tree repository. That being done, he just need to redirect your connection and wait 'til your next cvsup sync is done. About the tar.bz2 archives or what ever you use with tar, yes, if a file is corrupted it doesn't finish decompressing... nice check, huh... :P well, was a joke, sort of. > I don't believe this solves anything. The biggest problem is ensuring > that you can trust your initial keyring or root certificate > collection. Putting "trusted" keys on an ISO only gives you circular > trust - you trust that the ISO image came from the people who made it. There must be a beggining. Or else people will need to go to the headquarters to get the CD or to the CA to get their certificate. Root certficates don't expire? > There's no easy way to verify that it came from the FreeBSD Project. > The FreeBSD project also discourages the inclusion of GPL code in the > base system, making gnupg unattractive as a base system candidate. > Finally, PGP does not have the concept of "important" keys - this is > closer to the X.509 model. The base system already includes tools for > handling X.509 signatures (openssl) and there is already a collection >of X.509 keys embedded in the ports system (security/ca-roots). It's the easiest way I could think of, without inserting another trust point (CA's infraestructure and the people who work on them). I'm not against X.509 signatures, I like them as I like pub key. BUT you need to know that, yet, installing a ca-root certificates port, downloading a public key or resynching your ports tree implies on network transmission of certificates, keys, or hashes. MITM can be done in all that. The part I dont like is that a hash is just a hash. No one owns it. About the GNU part an user from this list, sent me an email telling me there is an BSD license solution comming soon. Thanks markzero for the note. http://netbsd-soc.sourceforge.net/projects/bpg/ Well, anyway, for me, public keys or certificates must be pre-installed on the ISO release and hashes serves only for integrity check, nothing more. []'s aristeu