"Poul-Henning Kamp" <p...@phk.freebsd.dk> writes: > "Dag-Erling Smørgrav" <d...@des.no> writes: > > Your suggestion does not remove implicit and possibly misplaced > > trust, it just moves it from one place to another. Instead of > > trusting a certificate authority and DNS, you trust the source of > > the public key, and probably also DNS. As always, it boils down to > > a) key distribution is hard and b) what's your threat model? > I don't think I agree with any of that ? > > With respect to authenticity of the FreeBSD SVN repo I cannot imagine > anybody else being even one percent as qualified and trustworth as the > FreeBSD projects own core-team. [...]
Let me rephrase: it's not just the source of the key or certificate, but the path from that source to you. There is *always* some level of blind trust, and all your suggestion does is move it from one place to another. You trust the certificate because you trust the PGP key that was used to sign it, but why do you trust the key? Did someone you know personally vouch for it? Do you trust them? Were they present when the key was generated, or do they trust it because someone *they* trust told them it was genuine? Does your trust in whomever gave you the key translate to those they trust? Is there a bottom to this pit? The bottom line is, once again, that key distribution is hard, and that you shouldn't make infosec decisions without having at least a vague outline of a threat model. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
