RE: Reflections on Trusting Trust
From: aristeu (suporte_at_wahtec.com.br)
To: <email@example.com> Date: Tue, 29 Nov 2005 18:49:11 -0200
> Can you explain what you mean here. Virtually all distfiles needed to
> build a port have MD5 and maybe SHA-256 hashes embedded in the ports
> tree. The only way to easily circumvent these is to subvert the ports
> tree - which gets back to the issue of trusting the FreeBSD distribution.
> I agree that there's currently no integrity checking on packages.
> (And, BTW, tar has no integrity checks).
Anyone who is between you and freebsd cvsup server can make his own ports
tree repository. That being done, he just need to redirect your connection
and wait 'til your next cvsup sync is done.
About the tar.bz2 archives or what ever you use with tar, yes, if a file is
corrupted it doesn't finish decompressing... nice check, huh... :P well, was
a joke, sort of.
> I don't believe this solves anything. The biggest problem is ensuring
> that you can trust your initial keyring or root certificate
> collection. Putting "trusted" keys on an ISO only gives you circular
> trust - you trust that the ISO image came from the people who made it.
There must be a beggining. Or else people will need to go to the
headquarters to get the CD or to the CA to get their certificate. Root
certficates don't expire?
> There's no easy way to verify that it came from the FreeBSD Project.
> The FreeBSD project also discourages the inclusion of GPL code in the
> base system, making gnupg unattractive as a base system candidate.
> Finally, PGP does not have the concept of "important" keys - this is
> closer to the X.509 model. The base system already includes tools for
> handling X.509 signatures (openssl) and there is already a collection
>of X.509 keys embedded in the ports system (security/ca-roots).
It's the easiest way I could think of, without inserting another trust point
(CA's infraestructure and the people who work on them). I'm not against
X.509 signatures, I like them as I like pub key. BUT you need to know that,
yet, installing a ca-root certificates port, downloading a public key or
resynching your ports tree implies on network transmission of certificates,
keys, or hashes. MITM can be done in all that. The part I dont like is that
a hash is just a hash. No one owns it.
About the GNU part an user from this list, sent me an email telling me there
is an BSD license solution comming soon. Thanks markzero for the note.
Well, anyway, for me, public keys or certificates must be pre-installed on
the ISO release and hashes serves only for integrity check, nothing more.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"