On Mon, Nov 25, 2002 at 09:34:40AM -0500, Michael T. Babcock wrote:
Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This
will take weeks and therefore will never happen. b) that we can keep the
private key secure. This is unlikely.
Have you participated (without identifying yourself) in any large projects
that currently GPG-sign their sources / binaries? All you have to do is
sign them when you package them. What people want from the signature is
the knowledge that the package is as the author created it and not repackaged
by a third party.
We have been over this...
As for source errors or hidden trojans, that can always happen, but a signed
release lets you announce a patch release, admitting the trojanning and users
know that the new release is also from the usual packaging author.
Sure, if the trojaned release didn't compromize the announcement
mechanism. The whole point here is not to rely on the website, so we
have to be able to get revocation certificates etc from freenet.
Keeping a private key secure is really easy in this context (use a CD/floppy).
More importantly you can always create private keys with 3 or 6 month expiries
so that you have to create new keys before then and sign them with the old
keys so that anyone who actually compromises the key doesn't gain much. Being
able to revoke GPG/PGP keys makes this almost unnecessary as well (are you
actually familiar with the technology involved in how GPG/PGP work? Go read
the fine manual ... www.gnupg.org).
Um, if I am patronized on public key cryptography by another luser, I
will scream. Seriously, keeping a private key secure is nigh on
impossible even with hardware tokens against any moderately funded
opponent. Hence the need for revocation of the insertion key by developers.
with IE or Mozilla for that matter. Please do some research ...
Signed JAR files go through verisign. That is not good.
Signed JAR files don't go through verisign; that's one company that offers such
signatures. You don't actually need to use their signatures; see www.openssl.org
or www.openca.org for something more complex. There are open and free ways to
create and manage signing authorities for JARs as well (again, I happen t`o do this
stuff for a living).
openca.org looks unfinished. Does it actually have something working?
And is it known by Internet Explorer, or at least Mozilla? Web of trust
only works when you know somebody else on the web (which is in practice
impossibly rare), and a hierarchical system like verisign only works if
you trust the corporation, which means a) you have to trust the
corporation - a lot of people would be skeptical about this point w.r.t.
many of them, and b) you pay a usually significant amount of money to
the CA, and c) the CA is a legal body which can be attacked.
--
Michael T. Babcock
CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc)
This advice brought to you by a lot of cash I didn't charge for the advice ...
http://www.fibrespeed.net/~mbabcock/
--
Matthew Toseland
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03
http://freenetproject.org/
msg02253/pgp0.pgp
Description: PGP signature
