From owner-freebsd-stable@FreeBSD.ORG Fri Dec 28 18:06:27 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6F97F36; Fri, 28 Dec 2012 18:06:27 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ee0-f52.google.com (mail-ee0-f52.google.com [74.125.83.52]) by mx1.freebsd.org (Postfix) with ESMTP id 0DF618FC08; Fri, 28 Dec 2012 18:06:26 +0000 (UTC) Received: by mail-ee0-f52.google.com with SMTP id d17so5215378eek.11 for ; Fri, 28 Dec 2012 10:06:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=34DE1JQiJROgznRIRGy9KTEZoI1Wx7LeRvq9HZW8iOU=; b=ycP/E4ob8AvhCmbgiW0FUCEphSbUA1m52Es9d1UIfyc+a+UkMmg3reWYow+70Q2kVv PVzgw2yLK9QGfyIU1YsStWLQbbzo9izyMGzI9pXF2H9KLq1DqAvPv3yyOqpl1mL8CJDj cnpx05cUEKwk34qhaJB3RKw/kqIGCm9N4bsi1nvKF/s+pAE6pXFGNMffc87rZ44QOw0X Co1Ty7IG7LVsxx6bFVGgEsgB/a/co5OlsY5AFm/BYew8ZyBUvKMQ0Fnr30Y+t8j4qioC DKhq58xuPOnQ/lPUtg02BZjf3k1TtauRovXVQ24NKwha14A+DU6z79o9+GNNOrOgJbgx F2Tg== MIME-Version: 1.0 Received: by 10.14.2.196 with SMTP id 44mr87968638eef.25.1356717980025; Fri, 28 Dec 2012 10:06:20 -0800 (PST) Received: by 10.223.170.193 with HTTP; Fri, 28 Dec 2012 10:06:19 -0800 (PST) In-Reply-To: <50DDD6C6.3050606@FreeBSD.org> References: <201212272101.qBRL1hXP016548@hergotha.csail.mit.edu> <50DDD6C6.3050606@FreeBSD.org> Date: Fri, 28 Dec 2012 10:06:19 -0800 Message-ID: Subject: Re: Anothe pkgng question: signing a repository From: Kevin Oberman To: Matthew Seaman Content-Type: text/plain; charset=UTF-8 Cc: stable@freebsd.org, Garrett Wollman , rainer@ultra-secure.de X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2012 18:06:27 -0000 On Fri, Dec 28, 2012 at 9:28 AM, Matthew Seaman wrote: > On 27/12/2012 21:01, Garrett Wollman wrote: >>> I'm creating my own repository and have created a key for it. >> [...] >>> >What does pkg expect to be in this file? > >> A public key. It does not use X.509 (nor is there any reason why it >> should, although I suppose it could be made to at the cost of >> significant added complexity and a bootstrapping problem). > > pkgng has a quite minimal signing setup -- it uses naked RSA > public/private keys without committing to either of the two popular > models for providing assurance on the validity of public keys (viz: PGP > web of trust or X509 style certificate chains to some trusted root > certificate). It's not clear at the moment if one or other or neither > of those styles would be preferred in the future. > > Or it may well be the case that RFC6698 (DANE -- DNS-Based > Authentication of Named Entities) via DNSSEC signed zone data[*] is > preferred over either of the two means frequently used at the moment. > Remember that there's really only one cryptographic signature needed for > each architecture/OS version specific repository catalogue. So not a > huge maintenance burden keeping the DNS up to date and signed even if a > new repository catalogue is published each day. > > Cheers, > > Matthew > > [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have > to remain no more than a pipe-dream for the time being. So why not? BIND 9.9 makes signing pretty easy and many registrars support it, though not all do. I think Tucows does, though I don't use them, so I might be wrong. With all of the concern over security after the intrusion, this seems like a good time to get started with signing. (Yes, I know everyone is really tied up with auditing things, but if it keeps getting delayed, ti will not happen.) And, yes, DANE is clearly preferable to either PGP (#2 choice, IMHO) or X.509 (too broken to be worth considering). -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com