On Fri, Jan 02, 2009 at 05:44:12PM +0100, cpghost wrote:
Any idea? Could this be implemented as a plugin to Subversion (since
it must access previous revisions of files and previously computed
digests)? Given read-only access to the repository, a set of simple
Python scripts or C/C++ programs
On Wed, Jan 07, 2009 at 08:37:37AM +, Matthew Seaman wrote:
You're kind of stuck then aren't you -- at least in respect TLS/SSL and
x509 certificates? If you don't trust any of the bodies who have the
capability to authenticate the owners of a particular cryptographic
key/certificate on
On Tue, Jan 06, 2009 at 09:08:56PM -0800, Walt Pawley wrote:
At 12:31 PM -0700 1/6/09, Chad Perrin wrote:
On the other hand, I don't trust Verisign, either.
What's to trust? If you pay them, you in.
Exactly. That's why I -- as the guy sitting in front of the *browser* --
don't trust
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Chad Perrin wrote:
| On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
| On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
| Out-of-band corroboration of a certificate's authenticity is kind of
| necessary to the security model of
Unless designed carefully, there will be substantial logistical
problems to maintaining such lists of signatures.
...
You can then verify the correctness of what's on your disk ...
The idea is that one needs to get this public key only once
...
IMHO, this could or should take place at
someone like the FreeBSD Foundation as an appropriate body to own the cert.
OT
I would actually trust a self-signed cert by the FreeBSD security officer,
more then one by Verisign.
of course.
there is no need to have an authority to make key pairs, everybody do it
alone.
actually i would
On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
someone like the FreeBSD Foundation as an appropriate body to own the
cert.
OT
I would actually trust a self-signed cert by the FreeBSD security officer,
more then one by Verisign.
of course.
there is no need to have an
On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
someone like the FreeBSD Foundation as an appropriate body to own the
cert.
OT
I would actually trust a self-signed cert by the FreeBSD security
officer, more then
Hi,
It shouldn't be so hard to give every citizen the option to get an online
certificate corresponding with their passport and similarly for Chambers of
Commerce to provide certificates for businesses.
Only that would mean that 200 countries become Certificate Authorities
and tens of
On Tuesday 06 January 2009 17:56:43 Olivier Nicole wrote:
Hi,
It shouldn't be so hard to give every citizen the option to get an
online certificate corresponding with their passport and similarly for
Chambers of Commerce to provide certificates for businesses.
Only that would mean that
At 12:31 PM -0700 1/6/09, Chad Perrin wrote:
On the other hand, I don't trust Verisign, either.
What's to trust? If you pay them, you in.
--
Walter M. Pawley w...@wump.org
Wump Research Company
676 River Bend Road, Roseburg, OR 97471
541-672-8975
On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
Out-of-band corroboration of a certificate's authenticity is kind of
necessary to the security model of SSL/TLS. A self-signed certificate,
in and of itself, is not really
On Saturday 03 January 2009 03:45:11 Matthew Seaman wrote:
[*] Buying a high security cert from the likes of Verisign or OpenSRS would
set you back about £800 p.a. and it would probably be necessary to use
someone like the FreeBSD Foundation as an appropriate body to own the cert.
OT
I would
RW wrote:
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman vi...@unsane.co.uk wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The more substantial weakness is that the key is
On Sat, Jan 03, 2009 at 01:38:25AM +, RW wrote:
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman vi...@unsane.co.uk wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The
On Sat, Jan 03, 2009 at 12:45:11PM +, Matthew Seaman wrote:
RW wrote:
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman vi...@unsane.co.uk wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file
On Sat, 3 Jan 2009 19:46:59 +0100
cpghost cpgh...@cordula.ws wrote:
On Sat, Jan 03, 2009 at 01:38:25AM +, RW wrote:
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman vi...@unsane.co.uk wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's
cpghost wrote:
Hello,
with MITM attacks [1] on the rise, I'm concerned about the integrity
of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
(and portsnap) from master or mirror servers.
[1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack
There's already a
On Fri, Jan 2, 2009 at 10:44 AM, cpghost cpgh...@cordula.ws wrote:
Hello,
with MITM attacks [1] on the rise, I'm concerned about the integrity
of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
(and portsnap) from master or mirror servers.
[1]
On Fri, Jan 02, 2009 at 11:26:45AM -0600, Matt wrote:
On Fri, Jan 2, 2009 at 10:44 AM, cpghost cpgh...@cordula.ws wrote:
Hello,
with MITM attacks [1] on the rise, I'm concerned about the integrity
of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
(and portsnap) from
On Fri, Jan 02, 2009 at 05:30:12PM +, Vincent Hoffman wrote:
cpghost wrote:
Hello,
with MITM attacks [1] on the rise, I'm concerned about the integrity
of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
(and portsnap) from master or mirror servers.
[1]
It's a beginning for sure. I assume (403 error) Max generates and
saves digests on his snapshots and the verification script does the
same locally and simply compares both lists.
it's plain paranoia. Yes such attacks are possible but usually there 100
other ways to compromise Your systems.
if
On Fri, Jan 02, 2009 at 08:04:10PM +0100, Wojciech Puchar wrote:
It's a beginning for sure. I assume (403 error) Max generates and
saves digests on his snapshots and the verification script does the
same locally and simply compares both lists.
it's plain paranoia. Yes such attacks are
other ways to compromise Your systems.
if one really care then make your VPN for all your computers, use one that
is unknown for others to download portsnap etc. and then use rsync to
populate it to other machines.
I'm already getting the files from one location and disseminate
them via
On Fri, Jan 02, 2009 at 10:53:29PM +0100, Wojciech Puchar wrote:
other ways to compromise Your systems.
if one really care then make your VPN for all your computers, use one that
is unknown for others to download portsnap etc. and then use rsync to
populate it to other machines.
I'm
On Fri, 02 Jan 2009 17:30:12 +
Vincent Hoffman vi...@unsane.co.uk wrote:
Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The more substantial weakness is that the key is verified against
26 matches
Mail list logo
