On Fri, Dec 28, 2012 at 9:28 AM, Matthew Seaman <matt...@freebsd.org> wrote: > On 27/12/2012 21:01, Garrett Wollman wrote: >>> I'm creating my own repository and have created a key for it. >> [...] >>> >What does pkg expect to be in this file? > >> A public key. It does not use X.509 (nor is there any reason why it >> should, although I suppose it could be made to at the cost of >> significant added complexity and a bootstrapping problem). > > pkgng has a quite minimal signing setup -- it uses naked RSA > public/private keys without committing to either of the two popular > models for providing assurance on the validity of public keys (viz: PGP > web of trust or X509 style certificate chains to some trusted root > certificate). It's not clear at the moment if one or other or neither > of those styles would be preferred in the future. > > Or it may well be the case that RFC6698 (DANE -- DNS-Based > Authentication of Named Entities) via DNSSEC signed zone data[*] is > preferred over either of the two means frequently used at the moment. > Remember that there's really only one cryptographic signature needed for > each architecture/OS version specific repository catalogue. So not a > huge maintenance burden keeping the DNS up to date and signed even if a > new repository catalogue is published each day. > > Cheers, > > Matthew > > [*] FreeBSD.org is not currently DNSSEC signed, so use of DANE will have > to remain no more than a pipe-dream for the time being.
So why not? BIND 9.9 makes signing pretty easy and many registrars support it, though not all do. I think Tucows does, though I don't use them, so I might be wrong. With all of the concern over security after the intrusion, this seems like a good time to get started with signing. (Yes, I know everyone is really tied up with auditing things, but if it keeps getting delayed, ti will not happen.) And, yes, DANE is clearly preferable to either PGP (#2 choice, IMHO) or X.509 (too broken to be worth considering). -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"