Re: Reflections on Trusting Trust

On Wed, 2005-Nov-30 14:43:43 +0100, Alexander Leidinger wrote:
>Kurt Seifried <listuser@xxxxxxxxxxxx> wrote:
>
>>should have people upload their keys. On another note I am available
>>to sign PGP keys (proving your key/identity is an excercise left to
>>the reader =),
>
>or to the signer... the keys are available in the handbook (either from
>www.freebsd.org or in raw from http://cvsweb.freebsd.org/doc)

But how do I know that the data I download from *.freebsd.org hasn't
been tampered with? Either by a MITM attack between me and the real
*.freebsd.org site or a DNS attack redirecting me to a third site.
This was the nub of my original posting.

> And AFAIK this is all PGP is supposed to verify, that the person
>behind "user@xxxxxxxxxxx" is the same as the person with access to the
>secret key for this address.

PGP is susceptable to MITM attacks - Ann asks Bruce for his public
key. Mallory intercepts the request and substitutes his own public
key. He can then intercept, alter and re-sign following exchanges so
neither Ann nor Bruce realise they have an intruder.

>But this assumes the signer trusts the FreeBSD.org security:

If you don't trust the FreeBSD Project you wouldn't run FreeBSD.

> Without ssh access there's no way to insert a key into the CVS
>repository.

Assuming no security holes in the infrastructure... How can I tell
that my private copy of the FreeBSD Project's CVS repository is the
same as the one on whatever.FreeBSD.org?

--
Peter Jeremy
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... or is somebody else getting pgp key errors on freebsd ... gpg: key 73D288A5: no valid user IDs ... > The resolver implements functions for making, ...
    (FreeBSD-Security)
  • Re: Which PGP version to use question
    ... PGP Corporation does not, ... market a FreeBSD or Linux version of this software. ... > need the ability to upload to a keyserver. ... under the terms of the GPL, since NAI and now PGP Corporation seemed ...
    (freebsd-questions)
  • Re: Using newer version of pgp by default
    ... Gerard Seibert writes: ... I have both GnuPG v1.4.6 (FreeBSD) and versions 2.0.2 installed. ... and any other program that uses pgp to use ...
    (freebsd-questions)
  • Using newer version of pgp by default
    ... I have both GnuPG v1.4.6 (FreeBSD) and versions 2.0.2 installed. ... 'pine' and KMail insist on using the older version ... and any other program that uses pgp to use ...
    (freebsd-questions)