[RESEND] Re: Digital Signatures (fwd)

[Thorsten Glaser <nirwana@ecce.homeip.net>]

Sorry for the repost, beat the pine developers...

Thorsten

---

begin  electrogrammati illius Ben Goren

>> Ok, but are the CDs trustworthy?
>
>Personally,  I   trust  the  CDs   a  *lot*  more  than   I  trust
>Thawte. Sounds like  you trust Thawte  more than the  CDs. To each
>his own, but I'd bet that Theo et al. are with me on this one.

I ack, but read on.

>> Even  if they  are, I  still DO  want a  sample .ssh/known_hosts
>> pre-initialized  with the  ssh keys  of the  OpenBSD hosts  (for
>> example, anoncvs)  in the main distribution  (misc31.tgz IMHO is
>> the place this belongs to).
>
>This I like. Why don't you submit such a sample? OpenBSD is, after
>all, about  scratching itches, and  it sounds like you're  the one
>most in  need of  hydrocortisone cream here. Oh--the  proper place
>for site-wide ssh hosts files  is somewhere in /etc; exactly where
>depends on how new your ssh is.

I am thinking of a file which is something like ~/.ssh/known_hosts
only for the OpenBSD anoncvs etc. hosts, where users can copy out
public host keys as needed, to be assured identity of the anoncvs
host. I can't do it because I am not sitting on such a machine.

>By what mechanism would an  attacker tamper with the certificates?

You can always find one ;)

>Between Calgary and (in my  case) Tempe, Arizona, only Canada Post
>and the USPS have access to the CD. If you're worried about either

Between Belgium and Germany there is few way, too. But how much of
us do get their CDs from Canada?
I remember I got, e.g. my Debian 2.1 CD-Set on self-burnt CDs from
a "official" dealer...

>of them intercepting your order and replacing it with a duplicated
>CD with a compromized  certificate, don't. Worry instead about men
>with neither necks nor souls. And don't forget your tinfoil hat.

Sorry I don't understand this one.

>> Letting the cert  being signed by an external  entity whose cert
>> is well-known to most users seems to be necessary [. . . .]
>
>Thawte is  owned by  Verisign aka Network  Solutions. I personally
>don't trust corporations  much to begin with,  but Netsol deserves
>no trust whatsoever. I,  and everybody else I've  ever spoken with
>who has had dealings with Netsol, has at least one horror story in
>which Netsol abused trust placed in them.

Owned != Controlled. They just assure, legally, for the identity
of a certificate (that its data are correct).

>And you  want to  trust them  to certify  the validity  of OpenBSD
>releases because...?

I don't want, how often again, to let them validate releases.
OpenBSD people validate releases, they just make sure the mail
has not been tampered with, and optionally identify the sender.

>If you're  really in a  position where you  can't trust a  CD sent
>through  the mail,  you're  already screwed. If  you really  think

I don't know. Mine don't even come from Canada, do they?

>you're vulnerable to a  man-in-the-middle attack when you download
>the patches, then actually read  and understand the patches before
>you apply them. And, for heaven's sake, *DON'T* run -current!

I run what I want.

I just proposed some thing that damned oftenly has been asked
for on the list, with some thinking behind.
And it's funny that the world's securest OS hasn't even https
on the main page.

Ok, if none of you people agree, I will shut up now, and this
will have no negative benefit for me personally. Mind this.

If someone still wishes to follow-up, feel free to do this,
but since there is not much interest on the lists, I wish
you to do this in personal email. Thanks.

Thorsten
-- 
Yes, I am root on my box, my friends' boxen and my mailgate.
And yes, I do know how to handle it. Yes, I know about kill-
rules, too. So WTF do you still bother filling my syslog?