Date: Tue, 12 Dec 2017 10:00:06 -0800 From: Bakul Shah <bakul@bitblocks.com> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: Karl Denninger <karl@denninger.net>, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171212180021.9F19D156E523@mail.bitblocks.com> In-Reply-To: Your message of "Tue, 12 Dec 2017 14:28:08 %2B0000." <26440.1513088888@critter.freebsd.dk> References: <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <c27552cf-45d8-7686-c60d-256537780edc@denninger.net> <26440.1513088888@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Dec 2017 14:28:08 +0000 "Poul-Henning Kamp" <phk@phk.freebsd.dk=
> wrote:
> =
> For the FreeBSD SVN tree, this could almost be as simple as posting
> an email, maybe once a week, with the exact revision checked out
> and the PGP signed output of:
> =
> svn co ... && find ... -print | sort | xargs cat | sha256
> =
> Such an archive would also be invaluable for reauthenticating in
> case, somebody ever manages to do something evil to our repo.
Sort of a public ledger. I have a vague memory of some project
*publishing* a crypto fingerprint of a collection of documents
in a well-known newspaper.... I think it was this one:
https://www.technologyreview.com/s/402961/fingerprinting-your-files/
Computing hashes of hashes is also the basis of a secure
timestamp service invented by Stuart Haber and Scott
Stornetta while the two were at Bellcore in 1990. The
service, called Surety, makes it possible to generate a
cryptographically secure and unforgeable proof that a
given document, photograph, or other file existed at a
particular time on a particular date and that it hasnt
been changed since.
The Surety technique works by computing a hash tree based
on the hash codes of every document being time-stamped.
The root of the tree is then published in a well-known
locationit could, for example, be printed in a classified
advertisement in the New York Times. You can prove that
your document existed on the day in question by showing
that your documents fingerprint was needed to generate the
fingerprint-of-fingerprints that appeared in the
newspaper.
Nowadays can you even trust NYT?!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171212180021.9F19D156E523>