On Sun, Oct 22, 2017 at 10:14:40PM +0000, Eric McCorkle wrote: > Hello everyone, > > The following is a write-up of my current design for a public-key trust > system: > > https://www.metricspace.net/files/freebsd_trust.pdf > > Some of you are certainly familiar with some or all of this; > I've discussed parts of it before on -hackers and -security, and I > discussed it in greater detail in BoF sessions at vBSDCon. It seems > things are heating up in this direction, so I'd like to get this out > there and get discussion and feedback. > > I plan on undertaking work on this in the very near future, especially > since the commit-train for GELI EFI is ready to arrive in HEAD. > > A bit about the format: this is sort of the "meat" of what I hope will > be a paper some day, but it's still an initial draft. Moreover, it > talks about things I'm planning as if they exist, mainly because I don't > want to have to go back and rewrite everything in the future. In > reality, most of what I talk about is just a proposal at this point, > with a few bits being implemented as a PoC here and there. > > Please read and consider the designs I've proposed. I welcome any > feedback and suggestions. I'll give it a week minimum from today before > I resume any work on this stuff.
Hey Eric, Thank you so much for working on this. I do have a few questions. I'm curious about the rational behind not requiring expiration of trusted root key material. Can jails contain a different trust chain than the host? Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
