On Fri, Jan 02, 2009 at 05:44:12PM +0100, cpghost wrote:
> Any idea? Could this be implemented as a plugin to Subversion (since
> it must access previous revisions of files and previously computed
> digests)? Given read-only access to the repository, a set of simple
> Python scripts or C/C++ progra
On Tue, Jan 06, 2009 at 09:08:56PM -0800, Walt Pawley wrote:
> At 12:31 PM -0700 1/6/09, Chad Perrin wrote:
>
> >On the other hand, I don't trust Verisign, either.
>
> What's to trust? If you pay them, you "in."
Exactly. That's why I -- as the guy sitting in front of the *browser* --
don't trus
On Wed, Jan 07, 2009 at 08:37:37AM +, Matthew Seaman wrote:
>
> You're kind of stuck then aren't you -- at least in respect TLS/SSL and
> x509 certificates? If you don't trust any of the bodies who have the
> capability to authenticate the owners of a particular cryptographic
> key/certificat
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Chad Perrin wrote:
| On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
|> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
|>> Out-of-band corroboration of a certificate's authenticity is kind of
|>> necessary to the security model of SS
On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
> >
> > Out-of-band corroboration of a certificate's authenticity is kind of
> > necessary to the security model of SSL/TLS. A self-signed certificate,
> > in and of itself, is not really
At 12:31 PM -0700 1/6/09, Chad Perrin wrote:
>On the other hand, I don't trust Verisign, either.
What's to trust? If you pay them, you "in."
--
Walter M. Pawley
Wump Research & Company
676 River Bend Road, Roseburg, OR 97471
541-672-8975
__
On Tuesday 06 January 2009 17:56:43 Olivier Nicole wrote:
> Hi,
>
> > It shouldn't be so hard to give every citizen the option to "get an
> > online certificate corresponding with their passport" and similarly for
> > Chambers of Commerce to provide certificates for businesses.
>
> Only that would
Hi,
> It shouldn't be so hard to give every citizen the option to "get an online
> certificate corresponding with their passport" and similarly for Chambers of
> Commerce to provide certificates for businesses.
Only that would mean that 200 countries become Certificate Authorities
and tens of t
On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
> On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
> > >>someone like the FreeBSD Foundation as an appropriate body to own the
> > >>cert.
> > >
> > >
> > >I would actually trust a self-signed cert by the FreeBSD security
> > >
On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
> >>someone like the FreeBSD Foundation as an appropriate body to own the
> >>cert.
> >
> >
> >I would actually trust a self-signed cert by the FreeBSD security officer,
> >more then one by Verisign.
> of course.
>
> there is no nee
someone like the FreeBSD Foundation as an appropriate body to own the cert.
I would actually trust a self-signed cert by the FreeBSD security officer,
more then one by Verisign.
of course.
there is no need to have an "authority" to make key pairs, everybody do it
alone.
actually i would fe
> > Unless designed carefully, there will be substantial logistical
> > problems to maintaining such lists of signatures.
> ...
> > You can then verify the correctness of what's on your disk ...
>
> The idea is that one needs to get this public key only once
> ...
> IMHO, this could or should take
On Saturday 03 January 2009 03:45:11 Matthew Seaman wrote:
> [*] Buying a high security cert from the likes of Verisign or OpenSRS would
> set you back about £800 p.a. and it would probably be necessary to use
> someone like the FreeBSD Foundation as an appropriate body to own the cert.
I would
On Sat, 3 Jan 2009 19:46:59 +0100
cpghost wrote:
> On Sat, Jan 03, 2009 at 01:38:25AM +, RW wrote:
> > On Fri, 02 Jan 2009 17:30:12 +
> > Vincent Hoffman wrote:
> > > Admittedly this doesn't give a file by file checksum
> >
> > That's not really a problem, it's no easier to create a col
On Sat, Jan 03, 2009 at 12:45:11PM +, Matthew Seaman wrote:
> RW wrote:
> > On Fri, 02 Jan 2009 17:30:12 +
> > Vincent Hoffman wrote:
> >> Admittedly this doesn't give a file by file checksum
> >
> > That's not really a problem, it's no easier to create a collision
> > in a .gz file than
On Sat, Jan 03, 2009 at 01:38:25AM +, RW wrote:
> On Fri, 02 Jan 2009 17:30:12 +
> Vincent Hoffman wrote:
> > Admittedly this doesn't give a file by file checksum
>
> That's not really a problem, it's no easier to create a collision
> in a .gz file than a patch file.
>
> The more substa
RW wrote:
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The more substantial weakness is that the key is verified against a
ha
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman wrote:
> Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The more substantial weakness is that the key is verified against a
hash stored on
On Fri, Jan 02, 2009 at 10:53:29PM +0100, Wojciech Puchar wrote:
> >> other ways to compromise Your systems.
> >>
> >> if one really care then make your VPN for all your computers, use one that
> >> is unknown for others to download portsnap etc. and then use rsync to
> >> populate it to other mach
other ways to compromise Your systems.
if one really care then make your VPN for all your computers, use one that
is unknown for others to download portsnap etc. and then use rsync to
populate it to other machines.
I'm already getting the files from one location and disseminate
them via rsync-o
On Fri, Jan 02, 2009 at 08:04:10PM +0100, Wojciech Puchar wrote:
> > It's a beginning for sure. I assume (403 error) Max generates and
> > saves digests on his snapshots and the verification script does the
> > same locally and simply compares both lists.
>
> it's plain paranoia. Yes such attacks a
It's a beginning for sure. I assume (403 error) Max generates and
saves digests on his snapshots and the verification script does the
same locally and simply compares both lists.
it's plain paranoia. Yes such attacks are possible but usually there 100
other ways to compromise Your systems.
if
On Fri, Jan 02, 2009 at 05:30:12PM +, Vincent Hoffman wrote:
> cpghost wrote:
> > Hello,
> >
> > with MITM attacks [1] on the rise, I'm concerned about the integrity
> > of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
> > (and portsnap) from master or mirror servers.
> >
On Fri, Jan 02, 2009 at 11:26:45AM -0600, Matt wrote:
> On Fri, Jan 2, 2009 at 10:44 AM, cpghost wrote:
> > Hello,
> >
> > with MITM attacks [1] on the rise, I'm concerned about the integrity
> > of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
> > (and portsnap) from master
On Fri, Jan 2, 2009 at 10:44 AM, cpghost wrote:
> Hello,
>
> with MITM attacks [1] on the rise, I'm concerned about the integrity
> of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
> (and portsnap) from master or mirror servers.
>
> [1] http://en.wikipedia.org/wiki/Man-in-th
cpghost wrote:
> Hello,
>
> with MITM attacks [1] on the rise, I'm concerned about the integrity
> of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
> (and portsnap) from master or mirror servers.
>
> [1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack
>
> There's alrea
Hello,
with MITM attacks [1] on the rise, I'm concerned about the integrity
of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
(and portsnap) from master or mirror servers.
[1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack
There's already a small protection against
27 matches
Mail list logo
