Well said. I'm glad someone else is willing to take a stab at
addressing these issues, since I've been down with the flu. Thanks
Greg.
As both Gregs have pointed out, hashes and checksums alone should only
be used as an integrity check. It is not a viable security mechanism.
A hash does not
On Wed, 2003-02-05 at 18:53, Curt Sampson wrote:
On Thu, 5 Feb 2003, Greg Copeland wrote:
Who will actually hold the key? Where will it be physically kept?
Good question but can usually be addressed.
It can be addressed, but how well? This is another big issue that I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
So you put the MD5 sum into the release announcement email. That is
downloaded by many people and also archived in many distributed places
that we don't control, so it would be very hard to tamper with.
ISTM that this gives you the same
Curt Sampson writes:
MD5, or any other unsigned check, makes sense from a security point of
view only if it is stored independently from the thing you are checking.
So you put the MD5 sum into the release announcement email. That is
downloaded by many people and also archived in many
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To answer some of my earlier questions, here is one specific way of doing it:
Tom Lane creates a PostgreSQL key, signing only, DSA, 1024 bits, that expires
in 3 years. It ends up looking something like this:
pub 1024D/0BB10D1D 2003-02-07
On Tue, 2003-02-04 at 18:27, Curt Sampson wrote:
On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
Even improperly used, digital signatures should never be worse than
simple checksums. Having said that, anyone that is
On Wed, 4 Feb 2003, Greg Copeland wrote:
If three people are required to sign a package prior to release,
what happens when one of them is unavailable for signing (vacation,
hospital, etc). This is one of the reasons why having a single project
key which the core developers sign may appear to
On Wed, Feb 05, 2003 at 15:22:12 +0900,
Curt Sampson [EMAIL PROTECTED] wrote:
On Wed, 4 Feb 2003, Greg Copeland wrote:
Hm. Splitting the key into parts is a very interesting idea, but I'd
be interested to know how you might implement it without requiring
everybody to be physically present
On Wed, 2003-02-05 at 00:22, Curt Sampson wrote:
On Wed, 4 Feb 2003, Greg Copeland wrote:
If three people are required to sign a package prior to release,
what happens when one of them is unavailable for signing (vacation,
hospital, etc). This is one of the reasons why having a single
On Tue, Feb 04, 2003 at 06:19:42PM -0600, Greg Copeland wrote:
I do agree that a checksum (or hash) is better than nothing, however, a
serious security solution it is not.
Which really is all I'm saying.
Kurt
---(end of broadcast)---
TIP 6:
On Thu, 5 Feb 2003, Greg Copeland wrote:
Who will actually hold the key? Where will it be physically kept?
Good question but can usually be addressed.
It can be addressed, but how well? This is another big issue that I
don't see any plan for that I'm comfortable with..
The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
There are generally two ways to do it: have a project key, or have
each developer use their own key. The advantage of the first way is
that each release is signed by the same key, which is clearly
associated with the project. The disadvantage is
On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Sure you can. Just verify that they've been signed by someone you trust.
On Tue, 2003-02-04 at 12:55, Kurt Roeckx wrote:
On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Sure you can. Just
Having just started working with GPG I shouldn't be considered an expert but
it seems to me that each core developer should create a key and should
cross-sign each others' keys to form a web of trust to verify the
authenticity of those signatures. In any case, I think that if
security-related
Comments intermixed below.
On Tue, 2003-02-04 at 12:04, Steve Crawford wrote:
Having just started working with GPG I shouldn't be considered an expert but
it seems to me that each core developer should create a key and should
cross-sign each others' keys to form a web of trust to verify the
On Tue, 2003-02-04 at 12:02, Rod Taylor wrote:
On Tue, 2003-02-04 at 12:55, Kurt Roeckx wrote:
On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
Even improperly used, digital signatures should never be worse than
simple checksums. Having said that, anyone that is trusting checksums
as a form of authenticity validation is begging for trouble.
Should I point out that a
On Tue, 4 Feb 2003, Kurt Roeckx wrote:
I know how it works, it's just very unlikely I'll ever meet
someone so it gives me a good chain.
One postgresql conference is all it takes.
Anyway, I think pgp is good thing to do, just don't assume that
it's always better then just md5.
I think it
On Tue, 4 Feb 2003, Kurt Roeckx wrote:
There really isn't any comparison here.
I didn't say you could compare the security offered by both of
them. All I said was that md5 also makes sense from a security
point of view.
MD5, or any other unsigned check, makes sense from a security point
On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
Even improperly used, digital signatures should never be worse than
simple checksums. Having said that, anyone that is trusting checksums
as a form of authenticity validation
On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
Even improperly used, digital signatures should never be worse than
simple checksums. Having said that, anyone that is trusting checksums
as a form of authenticity validation is
On Tue, Feb 04, 2003 at 23:13:47 +0100,
Kurt Roeckx [EMAIL PROTECTED] wrote:
So a figerprint and all the hash/digest function have no purpose
at all?
The purpose of both is to reduce the amount of material in a way that
makes it hard to generate some other material that would result in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think we should PGP sign all the official packages that are
provided for download from the various mirror sites.
Doesn't anyone around here read pgsql-general? :) I've been arguing for
this over there since June of last year. I've also been
On Sun, 2003-02-02 at 21:23, Marc G. Fournier wrote:
well, if you want to tell me the steps, I'll consider it ...
I certainly wouldn't consider myself to be an expert in PGP, but my
understanding of the basic steps is:
(1) Generate a public/private key pair for the PGDG team. This should be
(3) Sign official releases using the PGDG private key, and provide the
signatures on www.postgresql.org along with the packages themselves.
Sounds about right. I'd go as far as to sign release announcements and
security emails as well.
--
Rod Taylor [EMAIL PROTECTED]
PGP Key:
On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
right, that is why we started to provide md5 checksums ...
md5 checksums only validate that the intended package (trojaned or
legit) has been properly received. They offer nothing from a security
perspective unless the checksums have been
On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
right, that is why we started to provide md5 checksums ...
md5 checksums only validate that the intended package (trojaned or
legit) has been properly received. They offer
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Sure you can. Just verify that they've been signed by someone you trust.
For example, next time I happen to run into Bruce Momjian, I hope
On Mon, 2003-02-03 at 13:55, Kurt Roeckx wrote:
On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
right, that is why we started to provide md5 checksums ...
md5 checksums only validate that the intended package
On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Sure you can. Just verify that they've been signed by someone you trust.
For
On Tue, 3 Feb 2003, Greg Copeland wrote:
Surely there are a couple of key developers whom would be willing to
sign each other's keys and have previously met before. Surely this
would be the basis for phone validation. Then, of course, there is 'ol
snail-mail route too. Of course, nothing
On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
2. Do I trust him to take care of his own key and be careful signing
other keys?
3. Do I trust his opinion that the postgres release-signing key that
he signed is indeed valid?
4. Do I trust the holder of the postgres
Neil Conway [EMAIL PROTECTED] writes:
I think we should PGP sign all the official packages that are provided
for download from the various mirror sites.
This is probably a good idea.
I'd volunteer to do the work myself, except that it's pretty closely
intertwined with the release process
On Sun, 2003-02-02 at 18:39, Neil Conway wrote:
Folks,
I think we should PGP sign all the official packages that are provided
for download from the various mirror sites. IMHO, this is important
because:
- ensuring that end users can trust PostgreSQL is an important part to
getting the
On Sun, 2 Feb 2003, Neil Conway wrote:
Folks,
I think we should PGP sign all the official packages that are provided
for download from the various mirror sites. IMHO, this is important
because:
- ensuring that end users can trust PostgreSQL is an important part to
getting the product used
On Sunday 02 February 2003 21:23, Marc G. Fournier wrote:
On Sun, 2 Feb 2003, Neil Conway wrote:
I think we should PGP sign all the official packages that are provided
for download from the various mirror sites. IMHO, this is important
because:
right, that is why we started to provide md5
Marc G. Fournier [EMAIL PROTECTED] writes:
On Sun, 2 Feb 2003, Neil Conway wrote:
- ensuring that end users can trust PostgreSQL is an important part to
getting the product used in mission-critical applications, as I'm sure
you all know. Part of that is producing good software; another part is
38 matches
Mail list logo
