on 3/2/01 4:08 PM, "Peter Donald" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Before you ask whether you should sign the jars - ask what you would gain
> from it. Many less respectable peeps encourage people to sign files because
> it is so easy to subvert.
>
> Without signing security consious people often download the source and
> rebuild from that. Signing gives them a sense of confidence in the binary
> builds which may not be warranted. Worse signing will sometimes force a few
> tools to require a keystore which often irritates people enough that they
> will disable security by default.
This is a very good point, however if the source can't be trusted (which is
what Glenn is suggesting), then you need something else.
> If you were to implement this for all projects I would suggest that the key
> is contained on another host. When a committer needs to sign something they
> jump on deadelus and execute a suid file that sends jar across the wire,
> signs jar and brings it back. This key is regenerated on a specific period
> (every couple of months???). The old private key being destroyed at end of
> each period.
>
> The reason for this is that if key is kept on deadalus (even if owned by
> root) once deadalus is compromised then so could all the files (Or at least
> all the files signed in current period).
>
> In otherwords I would suggest that security conscious people download src
> drops and compile themselves and not rely on "safety" of signed binaries.
> YMMV of course ;)
That is way more work than needed. Placing the public key on a set of
keyservers somewhere off daedalus is much simpler than worrying about the
validity of the private key because you can use the public key to validate
the private key. Therefore, if the private key is ever found to be insecure,
then you can simply invalidate it and re-sign everything with a new key.
thanks,
-jon
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/> && <http://java.apache.org/turbine/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
