Excerpts from Mike Spreitzer's message of 2013-09-20 07:46:47 -0700: > What's the threat model here? >
Right now most verification loops in OpenStack rely on SSL and the PKI that it brings along. This is vulnerable to centralized compromise on several levels, and does not help if the server itself is compromised. Rubygems anyone? However, if I have verified the keys that have signed the git tags, I can make use of that git repo with confidence. It does not matter if all of the OpenStack infra is compromised, they can't fake signing stuff with my key unless they have it. Also if we are auto-signing anything, the infra team can sign the key for the auto-signer, so we can also secure any mirrored copies of automatically built artifcats against server side tampering. _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
