Okay Wes, This is your original message.
You state:
"This is exactly the sort of problem we need to solve..."
In the context of this message I must assume that since
the subject is SSH, then you are referring to SSH.
If not, there is nothing in the message that would
lead me to believe otherwise.
If you I have mis-quoted you, please clarify your
statement so that I might make appropriate reperations.
respectfully,
Jessem.
BTW, your original message is below:
=============================================
Message-ID: <[EMAIL PROTECTED]>
On 25 Dec, Wes Peters wrote:
> David O'Brien wrote:
>>
>> On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
>> > Incorrect..the problems with SSH come down to flaws in the human
>> > operator who ignore the warnings SSH gives them, and tell it
>> > explicitly to do insecure things like connect to a server which is
>> > suddenly not the one you're used to connecting to.
>>
>> And we, the FreeBSD Project, don't do a thing to help this situation.
>> We change the SSH keys on the freebsd.org machines left and right w/o
>> *ANY* notice to committers that they have been changed. So we've trained
>> our own committers to have sloppy habits that could lead a malicious code
>> added to the FreeBSD CVS source repository.
>
> This is exactly the sort of problem we need to solve in a usable and secure
> manner, so we can be an example to hold up and say "this is one way you can
> make it work."
>
> I'm completely open to suggestions as to how we can accomplish that. A few
> ideas leap to mind, but unfortunately, short of an heirarchical calling
> list, none of them really work, relying on other key information that may
> have changed also. Sending an email with the new certs signed by the SO
> or other authoritative key would work, given that everyone already has the
> OS cert or key, unless it is the SO key that is changing.
>
> With a little bit of perspiration, we could probably create a calling list
> that minimizes overseas and long distance calls, but reaching far-flung
> people on the phone is often difficult, expensive work.
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
