Date: Thu, 1 Dec 2005 05:15:30 +1100 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: Alexander Leidinger <netchild@freebsd.org> Cc: freebsd-security@freebsd.org, Kurt Seifried <listuser@seifried.org> Subject: Re: Reflections on Trusting Trust Message-ID: <20051130181530.GE32006@cirb503493.alcatel.com.au> In-Reply-To: <20051130144343.od5die60gsw4k0k0@netchild.homeip.net> References: <20051127182116.GA30426@cirb503493.alcatel.com.au> <000e01c5f410$2de67820$1300110a@pooptop> <20051130144343.od5die60gsw4k0k0@netchild.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2005-Nov-30 14:43:43 +0100, Alexander Leidinger wrote: >Kurt Seifried <listuser@seifried.org> wrote: > >>should have people upload their keys. On another note I am available >>to sign PGP keys (proving your key/identity is an excercise left to >>the reader =), > >or to the signer... the keys are available in the handbook (either from >www.freebsd.org or in raw from http://cvsweb.freebsd.org/doc) But how do I know that the data I download from *.freebsd.org hasn't been tampered with? Either by a MITM attack between me and the real *.freebsd.org site or a DNS attack redirecting me to a third site. This was the nub of my original posting. > And AFAIK this is all PGP is supposed to verify, that the person >behind "user@example.tld" is the same as the person with access to the >secret key for this address. PGP is susceptable to MITM attacks - Ann asks Bruce for his public key. Mallory intercepts the request and substitutes his own public key. He can then intercept, alter and re-sign following exchanges so neither Ann nor Bruce realise they have an intruder. >But this assumes the signer trusts the FreeBSD.org security: If you don't trust the FreeBSD Project you wouldn't run FreeBSD. > Without ssh access there's no way to insert a key into the CVS >repository. Assuming no security holes in the infrastructure... How can I tell that my private copy of the FreeBSD Project's CVS repository is the same as the one on whatever.FreeBSD.org? -- Peter Jeremy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051130181530.GE32006>