Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Dec 2012 17:28:38 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        Garrett Wollman <wollman@hergotha.csail.mit.edu>
Cc:        stable@freebsd.org, rainer@ultra-secure.de
Subject:   Re: Anothe pkgng question: signing a repository
Message-ID:  <50DDD6C6.3050606@FreeBSD.org>
In-Reply-To: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu>
References:  <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB43379DFA8FF395CEF022909
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 27/12/2012 21:01, Garrett Wollman wrote:
>> I'm creating my own repository and have created a key for it.
> [...]
>> >What does pkg expect to be in this file?

> A public key.  It does not use X.509 (nor is there any reason why it
> should, although I suppose it could be made to at the cost of
> significant added complexity and a bootstrapping problem).

pkgng has a quite minimal signing setup -- it uses naked RSA
public/private keys without committing to either of the two popular
models for providing assurance on the validity of public keys (viz: PGP
web of trust or X509 style certificate chains to some trusted root
certificate).  It's not clear at the moment if one or other or neither
of those styles would be preferred in the future.

Or it may well be the case that RFC6698 (DANE -- DNS-Based
Authentication of Named Entities) via DNSSEC signed zone data[*] is
preferred over either of the two means frequently used at the moment.
Remember that there's really only one cryptographic signature needed for
each architecture/OS version specific repository catalogue.  So not a
huge maintenance burden keeping the DNS up to date and signed even if a
new repository catalogue is published each day.

	Cheers,

	Matthew

[*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have
to remain no more than a pipe-dream for the time being.

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--------------enigB43379DFA8FF395CEF022909
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDd1s0ACgkQ8Mjk52CukIzyzgCfaZh4H22FAy4VfZWUK4p4GaHK
gTkAn3bAw4naA/+y32KEmoGaEG8tEde3
=pcPU
-----END PGP SIGNATURE-----

--------------enigB43379DFA8FF395CEF022909--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50DDD6C6.3050606>