From owner-freebsd-security-notifications Fri Feb 9 13:26:42 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3B38037B699; Fri, 9 Feb 2001 13:26:13 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: Reminder notice about FreeBSD Security Advisories Message-Id: <20010209212613.3B38037B699@hub.freebsd.org> Date: Fri, 9 Feb 2001 13:26:13 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- This is a reminder notice that all FreeBSD Security Advisories are signed with the PGP key of the security officer, available from the following location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc A copy of the public key containing more signatures may be retrieved from the http://keys.pgp.com key server. The PGP signature should be verified on all FreeBSD Security Advisories prior to trusting its contents -- recent events have reminded the community that e-mail may be trivially spoofed, and this is in fact the precise reason the security officer signs all official advisories. Advisories with missing or invalid signatures must be assumed to be written by third parties, and therefore unofficial and unsanctioned by the FreeBSD Project. While the recent examples of spoofed advisories were childish and easily seen to be counterfeits, the originator has done the service of reinforcing the point that signature verification is necessary. Consider the example of a spoofed advisory which appears to be fully legitimate and describes an abstruse and difficult to understand "security vulnerability", and which contains instructions which subtlely weaken or compromise the security of machines upon which the instructions are carried out. At this time, GnuPG is the PGP software recommended by the security officer for use on FreeBSD. This and other PGP software are also included in the FreeBSD ports collection and available commercially. Most modern mail software allows PGP signature verification to be done automatically at the time the message is displayed. Consult the documentation for your mail and PGP software to find out how to configure it to automatically verify signatures in e-mail. A sample configuration file for the mutt mail reader to allow automatic signature verfication (suitable for addition to the user's ~/.muttrc file) is available from: http://www.freebsd.org/~kris/muttrc-gpg This relies on the availability of the gnupg software (/usr/ports/security/gnupg). Note that the security-officer PGP key uses the IDEA algorithm for encrypted (as opposed to signed) messages you may wish to send to us, which is not included in gnupg by default. IDEA is covered by a patent, but the licensing terms permit use for non-commercial purposes. To install IDEA support, perform the following steps as root: # cd /usr/ports/security/gnupg-idea # make all install clean MAKE_IDEA=yes IDEA support is not required to verify signatures made by the security officer. Kris Kennaway FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoRf/lUuHi5z0oilAQFSegQAkkzFwV/1uGv0W6CJmsNWExCrSZlGBk7p NixT7iXXa3CF0IllKadoTPr735IO3yKUsg/ujgWU0tpwnSLh6A9C8QqAkBBO2BJQ y/rLA9qFuz+a3sbrtBVSV7GSzQm7ebzyVpef/ThMfM69C5bnmnhlPWdB6qNbYQAj 2c7MKMGIHuQ= =Ud07 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message