Date: Tue, 12 Dec 2017 17:28:40 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: John-Mark Gurney <jmg@funkthat.com>, Yuri <yuri@rawbw.com>, RW <rwmaillists@googlemail.com>, Michelle Sullivan <michelle@sorbs.net>, Igor Mozolevsky <mozolevsky@gmail.com>, freebsd security <freebsd-security@freebsd.org> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <864lovhpvr.fsf@desk.des.no> In-Reply-To: <79567.1513083576@critter.freebsd.dk> (Poul-Henning Kamp's message of "Tue, 12 Dec 2017 12:59:36 %2B0000") References: <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes: > "Dag-Erling Sm=C3=B8rgrav" <des@des.no> writes: > > Your suggestion does not remove implicit and possibly misplaced > > trust, it just moves it from one place to another. Instead of > > trusting a certificate authority and DNS, you trust the source of > > the public key, and probably also DNS. As always, it boils down to > > a) key distribution is hard and b) what's your threat model? > I don't think I agree with any of that ? > > With respect to authenticity of the FreeBSD SVN repo I cannot imagine > anybody else being even one percent as qualified and trustworth as the > FreeBSD projects own core-team. [...] Let me rephrase: it's not just the source of the key or certificate, but the path from that source to you. There is *always* some level of blind trust, and all your suggestion does is move it from one place to another. You trust the certificate because you trust the PGP key that was used to sign it, but why do you trust the key? Did someone you know personally vouch for it? Do you trust them? Were they present when the key was generated, or do they trust it because someone *they* trust told them it was genuine? Does your trust in whomever gave you the key translate to those they trust? Is there a bottom to this pit? The bottom line is, once again, that key distribution is hard, and that you shouldn't make infosec decisions without having at least a vague outline of a threat model. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864lovhpvr.fsf>