PGP Utility?
Kris Kennaway
kris at obsecurity.org
Wed Mar 17 14:43:57 PST 2004
On Wed, Mar 17, 2004 at 04:22:59PM -0500, Bob Perry wrote:
> I'm at the stage now, where I need to validate and certify the Security
> Officer's
> PGP key before I can verify the signature. Documentation suggests
> "...comparing
> the key during a phone call." Later, there is the reality that "If you
> don't know the
> owner of the public key you are really in trouble."
>
> Is there some recommended course to follow when it comes to handling these
> FreeBSD security patches?
The point of doing that is that you need to verify to your own
satisfaction that the key that says "FreeBSD Security Officer" really
comes from the FreeBSD Security Officer, and not Joe Evil who is
trying to convince you to run malicious code on your system in the
name of a security patch.
How much convincing you need is up to you - if you are happy with
comparing the key fingerprint included in copies of the documentation,
you can look at the copy in the FreeBSD Handbook on a FreeBSD CD, the
copy that was probably installed with your system, or versions on the
web. If you really want to talk to the security officer to verify his
key, you can email him to arrange a phonecall. Of course, then you're
trusting the email and phone system, etc :-) [1]
Kris
[1] Security is hard, there are no magic solutions - the best you can
do is to minimize the level of risk to an level that is acceptable to
you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040317/992202c5/attachment.bin
More information about the freebsd-questions
mailing list