| 1 |
On Fri, Nov 21, 2003 at 11:38:55PM -0500, Lisa Seelye wrote: |
| 2 |
|
| 3 |
> If the key server/signature is compromised you have gained nothing over |
| 4 |
> the way we have it now. |
| 5 |
|
| 6 |
This isn't true. GPG *can* be done with trusted keyservers, but as |
| 7 |
you point out that's silly. The best way to do it is with the web of |
| 8 |
trust. We generate a key for trusted@g.o, who signs, say, |
| 9 |
avenj's, drobbins's, and seemant's keys, and is then removed from the |
| 10 |
computer and put onto 3 or so CD's (for redundancy), which are locked |
| 11 |
away in a safe. avenj, drobbins and seemant go around signing every |
| 12 |
developer's key (this is the hardest part because it shouldn't be |
| 13 |
autmated). |
| 14 |
|
| 15 |
The public key for trusted@g.o is then posted to an area of |
| 16 |
gentoo.org, made available on the mirrors, posted to keyservers, etc. |
| 17 |
and the fingerprint is made widely available (mailinglists, IRC topics, |
| 18 |
etc.). The gentoo developers and some of the gentoo powerusers |
| 19 |
(hopefully the ones who are most active on the forums, mailinglists, and |
| 20 |
IRC), sign the trusted@g.o key. |
| 21 |
|
| 22 |
We then have the following properties: |
| 23 |
* everyone knows what the trusted@g.o public key is. |
| 24 |
* no-one knows, or can possibly find out, what the private key is. |
| 25 |
* the widespread knowledge of the public key cannot easily be |
| 26 |
changed. |
| 27 |
|
| 28 |
This allows gentoo to distribute signed (by drobbins, seemant and avenj) |
| 29 |
livecd's and stageballs that contain the public key itself. Users are |
| 30 |
encouraged to verify these signatures and are told what the signatures |
| 31 |
not matching means (ie, danger). |
| 32 |
|
| 33 |
Let's examine a few things that can go wrong once this is in place: |
| 34 |
|
| 35 |
A distfiles mirror is cracked: Lots of users download trojan'd packages, |
| 36 |
which fail verification against the maintainer's GPG key. The cracker |
| 37 |
can't fake a signature - that's one of the properties of a digital |
| 38 |
signature. The mirror admin is notified, mirror is cleaned up. No |
| 39 |
damage is done - in fact this is probably looks *good* for Gentoo. With |
| 40 |
the current system, it would be easily possible to compromise hundred's |
| 41 |
of people's machines. |
| 42 |
|
| 43 |
A developer's machine is cracked, and his keys stolen: Fake packages are |
| 44 |
uploaded, and possibly hundreds of machines are affected. This is pretty |
| 45 |
bad. The developer issues a revocation of his key, which is propogated |
| 46 |
in the same way that new keys are, and affected users find out that |
| 47 |
their machines have been compromised and which specific packages caused |
| 48 |
it. They can then start rebuilding their machines, or doing forensics, |
| 49 |
or whatever. Contrast this with the current system, where we have to |
| 50 |
hope that they hear the announcement, or come on IRC at the right time, |
| 51 |
or whatever, in which case they have to do a fairly painful manual |
| 52 |
investigation of all their packages. |
| 53 |
|
| 54 |
(Worst case scenario): Drobbins's machine is cracked and his keys are |
| 55 |
stolen. This is actually not much worse than a developer's keys being |
| 56 |
stolen. Contrast this with how things are at the moment, which would be |
| 57 |
disaster. |
| 58 |
|
| 59 |
> Adding it is just another way for something to go wrong. |
| 60 |
|
| 61 |
This is absolutely true. Public key infrastructure was never designed to |
| 62 |
stop things going wrong - this is still a hard problem that rests with |
| 63 |
administrators. What it does do is to make tampering much easier to |
| 64 |
detect, and when things do go wrong to put them right much more quickly |
| 65 |
and correctly than would otherwise be possible. |
| 66 |
|
| 67 |
I hope I've convinced people this is valuable. |
| 68 |
|
| 69 |
-- |
| 70 |
When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. - Jonathan Swift |
| 71 |
|
| 72 |
-- |
| 73 |
gentoo-dev@g.o mailing list |
Archives