On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote:
I'm at the stage now, where I need to validate and certify the Security Officer's PGP key before I can verify the signature. Documentation suggests "...comparing
the key during a phone call." Later, there is the reality that "If you don't know the
owner of the public key you are really in trouble."
Is there some recommended course to follow when it comes to handling these
FreeBSD security patches?
The point of doing that is that you need to verify to your own satisfaction that the key that says "FreeBSD Security Officer" really comes from the FreeBSD Security Officer, and not Joe Evil who is trying to convince you to run malicious code on your system in the name of a security patch.
How much convincing you need is up to you
I think I was born paranoid. Odds are I was looking both ways before even considering poking my head into this world.
That became apparent once I stopped whining.- if you are happy with comparing the key fingerprint included in copies of the documentation, you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the copy that was probably installed with your system, or versions on the web. If you really want to talk to the security officer to verify his key, you can email him to arrange a phonecall. Of course, then you're trusting the email and phone system, etc :-) [1]
Kris
[1] Security is hard, there are no magic solutions - the best you can
do is to minimize the level of risk to an level that is acceptable to
you.
Thanks again, Bob.
-- I've learned that whatever hits the fan will not be evenly distributed.
FreeBSD 4.9-RELEASE-p2 #0
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
