1 |
I was trying to point out the fact that any system relies on trust and |
2 |
to device a sensible system we have to pick a few things to trust. |
3 |
You have to trust the interface with witch you perform the signing. |
4 |
How much effort that is required to trust a component should be |
5 |
discussed. |
6 |
I believe that there are some human elements that can be 'fixed'. Some |
7 |
room for human errors can be removed if it would be impossible for the |
8 |
keeper of the master key to extract the private key from the signing |
9 |
tool, even if he/she wanted to. |
10 |
|
11 |
-John |
12 |
|
13 |
|
14 |
|
15 |
On Tue, 2004-03-30 at 02:03, Joshua Brindle wrote: |
16 |
> This thread is getting way 'out there'. Noone ever said that GPG signing |
17 |
> is the end-all in security, noone ever said that it's the perfect method |
18 |
> of protection, what we did say is that it's *alot* better than what we |
19 |
> have now. |
20 |
> I wish that people would stop coming up with obscure holes in the |
21 |
> signing model, there is no way around them but this is a far greater |
22 |
> amount of protection than we have now. |
23 |
> The key to security is layers, we implement as many layers of security |
24 |
> as possible to prevent compromises but there is obviously a huge human |
25 |
> element that we can't 'fix'. The obscure ways of defeating the model |
26 |
> should not stop us from implementing it, and it won't so lets try to |
27 |
> keep our eyes on the goal and not get drawn off by non-productive |
28 |
> distractions. |
29 |
> |
30 |
> Joshua Brindle |
31 |
> |
32 |
> |
33 |
> John Nilsson wrote: |
34 |
> |
35 |
> > You have to trust the device that you interface with in any case. If the |
36 |
> > computer is compromised, how do you know that the message you pipe |
37 |
> > through for signing is the same as on the screen? |
38 |
> > |
39 |
> > -John |
40 |
> > |
41 |
> > On Mon, 2004-03-29 at 10:47, Paul de Vrieze wrote: |
42 |
> > |
43 |
> > On Sunday 28 March 2004 18:39, Sami Näätänen wrote: |
44 |
> > |
45 |
> > |
46 |
> >>To do what? |
47 |
> > |
48 |
> >>The master key will not be present there. |
49 |
> >>And if you don't provide those keys that are in the card the keys you |
50 |
> >>make with the trojaned machine can't be validated with the master |
51 |
> >>public key. |
52 |
> > |
53 |
> > That would only work if the external device actually performs the |
54 |
> > singing. Not when the key itself is readable by the computer the device |
55 |
> > is inserted in. I don't know if it would be possible to acquire such a |
56 |
> > device allthough they probably exist. |
57 |
> > |
58 |
> > Paul |
59 |
> > |
60 |
> |
61 |
> -- |
62 |
> gentoo-dev@g.o mailing list |
63 |
> |
64 |
> |
65 |
> |