Jim Hyslop wrote: > I have posted an analysis of the two means of handling the RCS keyword > expansion exploit at > > http://ximbiot.com/cvs/wiki/index.php?title=Talk:GPG-Signed_Commits_RCS_Keyword_Exploit > > > Comments are welcome. >
I think you need an attack 1b: edit the revision metadata (what will be subbed into keywords) directly in the RCS file. This is equivalent to your attack 2 (replace the server software) from the point of view of the client, except it is easier to target individual files in a syntactically correct way. Since 1b & 2 are so similar, perhaps 2 should be removed entirely and old 1 & new 1b & old 2 should be grouped as 1a & 1b & 1c under a "1) Compromised server" heading. Good to note attack #3 as a reason why external verification tools could be useful. Finally, your Attack #1 (which I initially suggested renaming 1a) is really a subset of the more general case of Mallory editing any revision content directly. This is exactly what GPG-signatures were designed to detect in the first place and your document simply reiterates that the design works. I don't think this needs to be grouped under the "RCS Keyword Exploit" heading. It isn't an exploit and certainly doesn't require keywords to be in use for an attacker to try it. If you want to analyze this attack in this context, perhaps start with it as a "working example" of how signing and verification normally works before discussing the keyword attack. Such a working example might be useful to link to from the GPG-Signed Commits document too. Regards, Derek -- Derek R. Price CVS Solutions Architect Ximbiot <http://ximbiot.com> v: +1 717.579.6168 f: +1 717.234.3125 <mailto:[EMAIL PROTECTED]> _______________________________________________ Bug-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/bug-cvs
