Dag-Erling Smørgrav
2017-Dec-12 12:06 UTC
http subversion URLs should be discontinued in favor of https URLs
"Poul-Henning Kamp" <phk at phk.freebsd.dk> writes:> The only realistic way for the FreeBSD project to implement end-to-end > trust, is HTTPS with a self-signed cert, distributed and verified > using the projects PGP-trust-mesh and strong social network.Your suggestion does not remove implicit and possibly misplaced trust, it just moves it from one place to another. Instead of trusting a certificate authority and DNS, you trust the source of the public key, and probably also DNS. As always, it boils down to a) key distribution is hard and b) what's your threat model? DES -- Dag-Erling Sm?rgrav - des at des.no
Poul-Henning Kamp
2017-Dec-12 12:59 UTC
http subversion URLs should be discontinued in favor of https URLs
-------- In message <86d13kgnfh.fsf at desk.des.no>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= w rites:>"Poul-Henning Kamp" <phk at phk.freebsd.dk> writes: >> The only realistic way for the FreeBSD project to implement end-to-end >> trust, is HTTPS with a self-signed cert, distributed and verified >> using the projects PGP-trust-mesh and strong social network. > >Your suggestion does not remove implicit and possibly misplaced trust, >it just moves it from one place to another. Instead of trusting a >certificate authority and DNS, you trust the source of the public key, >and probably also DNS. As always, it boils down to a) key distribution >is hard and b) what's your threat model?I don't think I agree with any of that ? With respect to authenticity of the FreeBSD SVN repo I cannot imagine anybody else being even one percent as qualified and trustworth as the FreeBSD projects own core-team. In particular I would never trust any "In the CA-racket for the money" organization to do so. If you are worried that the FreeBSD project "staff" cannot handle a root-cert competently, then the exposure is no smaller or larger than if it was a CA-signed cert they fumbled. Trusting DNS doesn't apply it if the project root-cert was stored on my local machine after I used my best judgement of PGP signatures to conclude that it was authentic. And I don't really see distribution of this particular key being difficult at all: We already PGP sign release checksums for authenticity and it the FreeBSD root-cert is just another file to get same treatment. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.