Date: Tue, 12 Dec 2017 12:59:36 +0000 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: John-Mark Gurney <jmg@funkthat.com>, Yuri <yuri@rawbw.com>, RW <rwmaillists@googlemail.com>, Michelle Sullivan <michelle@sorbs.net>, Igor Mozolevsky <mozolevsky@gmail.com>, freebsd security <freebsd-security@freebsd.org> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <79567.1513083576@critter.freebsd.dk> In-Reply-To: <86d13kgnfh.fsf@desk.des.no> References: <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
-------- In message <86d13kgnfh.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes: >> The only realistic way for the FreeBSD project to implement end-to-end >> trust, is HTTPS with a self-signed cert, distributed and verified >> using the projects PGP-trust-mesh and strong social network. > >Your suggestion does not remove implicit and possibly misplaced trust, >it just moves it from one place to another. Instead of trusting a >certificate authority and DNS, you trust the source of the public key, >and probably also DNS. As always, it boils down to a) key distribution >is hard and b) what's your threat model? I don't think I agree with any of that ? With respect to authenticity of the FreeBSD SVN repo I cannot imagine anybody else being even one percent as qualified and trustworth as the FreeBSD projects own core-team. In particular I would never trust any "In the CA-racket for the money" organization to do so. If you are worried that the FreeBSD project "staff" cannot handle a root-cert competently, then the exposure is no smaller or larger than if it was a CA-signed cert they fumbled. Trusting DNS doesn't apply it if the project root-cert was stored on my local machine after I used my best judgement of PGP signatures to conclude that it was authentic. And I don't really see distribution of this particular key being difficult at all: We already PGP sign release checksums for authenticity and it the FreeBSD root-cert is just another file to get same treatment. Poul-Henning -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79567.1513083576>