Subject: Re: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code
To: Ignatios Souvatzis <is@netbsd.org>
From: David Maxwell <david@vex.net>
List: tech-security
Date: 08/07/2002 15:28:26
On Wed, Aug 07, 2002 at 09:12:54PM +0200, Ignatios Souvatzis wrote:
> On Wed, Aug 07, 2002 at 11:06:46AM -0400, David Maxwell wrote:
> 
> > I would rather not have the MUA doing the signing, for a couple reasons:
> > 
> > Consistency - If different S-Os use different MUAs, or an S-O changes
> > MUA over time, the SAs shouldn't be text one time, MIME the next, etc.
> > 
> > Key location - I do not keep the S-O PGP key on the machine that I send
> > mail from. I sign the advisories and copy them to the machine from which
> > they are mailed.
> 
> You don't need to use the MUA. Just create a detached signature, and use
> something that mangles the detached signature and the advisory into a 
> PGP/MIME.

Detached signatures are great for things like patches, which must remain
'clean', but I prefer the integrated signatures on advisories
themselves. With detached sigs, people can forget the signatures are
available - when integrated, it's more "in your face".

> But I guess this isn't a ready to use application yet.

I'm not sure what you mean by that. I would be curious to know what
format is best supported among the various MUAs available, since it
makes sense to format our advisories to make it easiest for readers to
verify the signatures.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
An organization gets what it rewards.
			      - Perry Metzger