Reflections on Trusting Trust
Robert Watson
rwatson at FreeBSD.org
Mon Nov 28 20:51:51 GMT 2005
On Sun, 27 Nov 2005, Peter Jeremy wrote:
> or "How do I know my copy of FreeBSD is the same as yours?"
>
> I have recently been meditating on the issue of validating X.509 root
> certificates. An obvious extension to that is validating FreeBSD
> itself.
This topic has come up countless times over the years, and one of the
recurring debates that comes up with it is what it is the "Project" wants
to promise, and whether we want to get into the business of managing lots
of keying material. Like or not, the weaker the promises you make, the
easier they are to keep :-). The concept of even a security officer key
has always made me somewhat nervous -- clearly, this is a "valuable" key,
but it's also one that has to be made available to anyone who is going to
sign a security advisory. We have persistently signed security
advisories, errata notes, and release announcements for the past few
years, and the release announcements have included release checksums.
I think it would be useful to go quite a bit further, but I think we
should be careful to do it for pragmatic reasons, and to be very clear on
what it is we are doing by signing things, how hard we are willing to try
to protect the keying material, and so on.
Robert N M Watson
More information about the freebsd-security
mailing list