Trust system write-up

Romain Tartière romain at FreeBSD.org
Mon Oct 23 07:11:27 UTC 2017 

Hello Eric,

On Sun, Oct 22, 2017 at 06:14:40PM -0400, Eric McCorkle wrote:
> The following is a write-up of my current design for a public-key trust
> system:
> 
> https://www.metricspace.net/files/freebsd_trust.pdf

Two minor things while reading:
 1. p2: from a end-user perspective, `trustctl` expects DER encoded
    certificates and CRL; while `certs` and `rootcerts` outputs PEM
    encoded certificates…  So the formats are not the same, and maybe
    consistency would be advisable here;
 2. p3: 'the preferred configuration' is said to be the most used one,
    but as described it only includes a single crt+key and does not look
    suitable for distributing upgrades with freebsd-update(8).
    Unless I missed something, I guess it's just the way it is described
    that needs disambiguation:
    - "local nodes" are basically what is described as "Preferred
      configuration", and have a single key+crt.
      So these nodes can only run the code they signed.
    - "high-security institutions" are kept as it, that is a single crt;
      So these nodes can only run code signed by the institution.

    Hybrid systems can be built by having more than one root node:
    - "preferred configuration" have a local key+crt (as an local node)
      AND the FreeBSD's project crt.
      So these nodes can run FreeBSD's code and their own code.
    - "standard FreeBSD images" as described have the FreeBSD's project
      crt. When installing, they generates a local key+crt and add them
      with the FreeBSD crt to the new system's trust store.  So these
      images have the "high-security institutions" scheme, and install
      systems in the "preferred configuration" scheme.

Thanks!
Romain

-- 
Romain Tartière <romain at FreeBSD.org>  http://people.FreeBSD.org/~romain/
pgp: 8234 9A78 E7C0 B807 0B59  80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20171023/6d1a174f/attachment.sig>

More information about the freebsd-arch mailing list