>>> Cryptografically signed ISO images >>> http://docs.freebsd.org/cgi/mid.cgi?20140302172759.GA4728>> If the use of [the signed] SHA-2[56] hashes don't provide enough >> assurance that the ISO images are authentic can you explain the >> crypto technology that you are looking for?Signing the ISO's [hashes of same] is a common practice. As is now signing the packages. However, just remember that both of these are only handwavy security bandaids trying to be placed from the periphery in, which is not the way to do things right... Until the FreeBSD project ... (1) moves to a repository such as Git [or something like the even further crypto integrated Monotone], where the repository itself has an internal crypto hash structure that can be signed from the very first initializing commit and upon later commits/tags/branches, etc... and (2) has and uses deterministic reproducible builds for everything flowing downstream from that [the source repo, packages, isos, build servers, rsync/ftp/http distribution servers, web/wiki/forum/mail servers, etc...] ... signing the periphery may look good to the casual observer, but it is ultimately untraceable in any cryptographic sense to the code from which those periphery elements are purported to come from. That's not a good position to be in, and is a clarification regarding discontiguous trust chains that needs pointed out. It also wouldn't hurt to have the repo on ZFS raidzN sha256, ECC ram, etc... if not already.>> if you verified the certificate of https host...... you probably have more to learn about verification. https://www.eff.org/observatory https://en.wikipedia.org/wiki/Certificate_transparency And let's not forget the needed DNSSEC and IPSEC components. Though 1 and 2 above would be a great start. References... https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details https://wiki.debian.org/ReproducibleBuilds https://gitian.org/ http://git-scm.com/about/distributed http://git-scm.com/about/info-assurance http://www.monotone.ca/
YB Tan Sri Dato Sri' Adli a.k.a Dell via freebsd-hackers
2014-Jun-18 18:48 UTC
RE: Secure Infrastructure [Crypto signed ISO images]
Hello,<br/><br/>I am in the midst diagnostic my Apple Powerbook G4 with Lubuntu linux operating system. The powerpc architecture will be my working platform in writing automated shell scripting and automated installers shell scripting for various platform in the market. As a freelance engineer, i am working with Proton DRB Hicom to design and develop rapid prototyping CAD open source for automobile industries. Please do not hesitate to contact me at +60173623661 at anytime.<a href="https://overview.mail.yahoo.com?.src=iOS"><br/><br/>Sent from Yahoo Mail for iPhone</a> _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"