Re: HTTPS trust anchors in sysinst

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>, tech-install%NetBSD.org@localhost
Subject: Re: HTTPS trust anchors in sysinst
From: Johnny Billquist <bqt%softjar.se@localhost>
Date: Sat, 26 Aug 2023 16:06:39 +0200



On 2023-08-26 15:21, Mouse wrote:

[*] We should _also_ bake a public signature verification key into
     the installers that can verify a signature on the sets which can
     in turn be made only by TNF -- not by any of the public HTTPS
     CAs.  But that's a separate issue that requires more key
     management and software verifier setup than we have settled now.


Once you have that, it seems to me that the use of SSL on either HTTP
or FTP becomes pointless CPU cycle wasting.  This then leads me to
wonder two things: (1) is doing SSL a case of the good being the enemy
of the best (because people will fall into the trap of thinking that
SSL means "it's secure" without asking "...against what?"[%])? and (2)
is all this kerfuffle about CA trust anchors effort that would better
be put into designing and building the right answer?

Even worse - we are then getting into territory where old releases mightaccept bad certificates, since they use SSL and have trust anchors andso on. But once those get compromised, these old releases/installers aresuddenly not safe anymore. And what about time limits on certificates,and what happens if you try to use these installers later? Will theyfail, give warnings, or just accept that potentially invalidcertificates are still being used? With all the trust that gets inferredby this? And if we accept potentially bad certificates in the firstplace, what is the point of all this?

Seems more like we are trying to shoot ourself in the foot with wellintentions but possibly bad results here.

Also, if you're doing public-key crypto - for anything - in the
installers, this will drastically, I am tempted to say
catastrophically, slow down installation on low-end machines, like a
MicroVAX-II or Sun-3.  (Of course, NetBSD might be fine with that.  I
just think it should be at least thought about.)


It will be worse than horrible...

  Johnny

--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt%softjar.se@localhost             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

Follow-Ups:
- Re: HTTPS trust anchors in sysinst
  - From: Taylor R Campbell

References:
- HTTPS trust anchors in sysinst
  - From: Taylor R Campbell
- Re: HTTPS trust anchors in sysinst
  - From: Mouse

Prev by Date: Re: HTTPS trust anchors in sysinst
Next by Date: Re: HTTPS trust anchors in sysinst
Previous by Thread: Re: HTTPS trust anchors in sysinst
Next by Thread: Re: HTTPS trust anchors in sysinst
Indexes:

Home | Main Index | Thread Index | Old Index