ports signing, Was: cvsup/install over ssh?
From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 05/07/02
- Next message: Martin McCormick: "I am My Own Worst Enemy Regarding Denial of Service!"
- Previous message: Retal: "I can't see this damn message anymore"
- In reply to: SolarfluX: "cvsup/install over ssh?"
- Next in thread: Garrett Wollman: "ports signing, Was: cvsup/install over ssh?"
- Reply: Garrett Wollman: "ports signing, Was: cvsup/install over ssh?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 May 2002 14:48:33 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: SolarfluX <solarflux@ziplip.com>
SolarfluX(solarflux@ziplip.com)@2002.05.06 14:05:48 +0000:
> Why doesn't cvsup have the option to be encrypted via ssh like anoncvs does?
ipsec(4)
> How about an option to install over an encrypted connection?
setkey(8)
> Would anyone consider implementing either of these suggestions?
main question: what problem do you want to solve with it?
on a high-volume download site i wouldn't even think about implementing
payload signing/encryption on the network layer. the cost of cpu cycles
in such an environment is much too high. as hardware gets faster and
cheaper, it might become reality.
perhaps someday, there will be tokens and configuration info available
for ftp.freebsd.org, but what about the mirrors? trust, authenticity,
integrity must be maintained throughout the infrastructure. this is not
possible through only encryption on the network layer.
in ports' distfiles, checksums are used already, but only to have
control over source archive integrity, not really authenticity (this
would imply the ports tree itself being signed, or elements of it, using
some PKCS variant).
what i could imagine is a "checksig" target in the ports tree, but this
has the following implications:
- one additional .sig/.asc file per port
- gnupg must be installed to be able to check, first (but this could
already be a tampered version, that gives an "OK" everytime)
- each port maintainer must have a private key and gnupg to sign his
port(s)
- a publicly available web of trust containing cross-signed pubkeys of
the maintainers needs to be made available (and managed)
- the maintainer's mailbox will most certainly fill up with "port <name>
is not signed" or whatelse obscure messages when the system is freshly
deployed
thinking about it, it looks like worth thinking about it a little
further. opinions? flames?
regards,
/k
-- > The life uncaffeinated is not worth living. --Michael Han WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Martin McCormick: "I am My Own Worst Enemy Regarding Denial of Service!"
- Previous message: Retal: "I can't see this damn message anymore"
- In reply to: SolarfluX: "cvsup/install over ssh?"
- Next in thread: Garrett Wollman: "ports signing, Was: cvsup/install over ssh?"
- Reply: Garrett Wollman: "ports signing, Was: cvsup/install over ssh?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
