On Fri, Nov 22, 2002 at 08:42:29AM -0500, Michael T. Babcock wrote: > > Date: Mon, 18 Nov 2002 08:51:05 -0800 > > To: [EMAIL PROTECTED] > > From: [EMAIL PROTECTED] > > > > You can, of course, revoke signatures with GPG without a problem > > > and then sign the distributions with it (at least as a detached > > > signature). > > > > > > The installer could offer to check that signature by calling GPG > > > but this is highly insecure (as anyone who replaced the binary would > > > forge the call). What you really want is for people to check the > > > signature themselves (with GPG/PGP). > > > Yes thats excellent from a corporate perspective since the more areas > > you leave for the l'users your customers to fuckup the less liability > > you have. > > > > However in an open for the most part volunteer project such liability > > and profit concerns do not arise so for that reason the developers can > > afford to design systems to protect the l'user from their own > > incompetence and are necessary if one cares to attempt to offer security > > and anonymity rather than create opportunities to destroy it. > > Your complete lack of grammar and ability to express yourself coherently > is somewhat distressing but I'll reply nonetheless. > > My comment had nothing to do with liability and in fact I do security > consulting for individuals and businesses; I am not a lawyer, and do not > care about liability issues in this type of arena. > > The problem that arises with digitally signed binaries is that the > signature checking system _must not_ be distributed with the binaries to > be checked and the signatures or signator keys _must_ be available out of > band. Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This will take weeks and therefore will never happen. b) that we can keep the private key secure. This is unlikely. > > If the binaries are signed and come with a detached signature, any user can > double-click the signature file and receive a PGP/GPG message asking if > they wish to check the signature. The installer can easily come with the > instructions to check the signatures, as well as a short commentary on why > this important for the security of their file store and the project as a > whole. The binaries, however, must be assumed to be untrusted and untrustable > for the sake of such a discussion and as such, only the method I described > keeps the user from receiving a message such as 'signature checks out' when > in fact the image they received was either tainted or damaged. > > Feel free to reply with a full discussion / reasoning behind your wanting to > do things any differently for this (preferably technical) and I'll listen. > There is no reason _not_ to distribute detached signatures for each of the > installer and/or JAR images. Signed JAR files are also possible and checkable > with IE or Mozilla for that matter. Please do some research ... Signed JAR files go through verisign. That is not good. > > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ >
-- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/
msg02220/pgp00000.pgp
Description: PGP signature
