1 |
On Fri, Nov 21, 2003 at 11:38:55PM -0500, Lisa Seelye wrote: |
2 |
|
3 |
> If the key server/signature is compromised you have gained nothing over |
4 |
> the way we have it now. |
5 |
|
6 |
This isn't true. GPG *can* be done with trusted keyservers, but as |
7 |
you point out that's silly. The best way to do it is with the web of |
8 |
trust. We generate a key for trusted@g.o, who signs, say, |
9 |
avenj's, drobbins's, and seemant's keys, and is then removed from the |
10 |
computer and put onto 3 or so CD's (for redundancy), which are locked |
11 |
away in a safe. avenj, drobbins and seemant go around signing every |
12 |
developer's key (this is the hardest part because it shouldn't be |
13 |
autmated). |
14 |
|
15 |
The public key for trusted@g.o is then posted to an area of |
16 |
gentoo.org, made available on the mirrors, posted to keyservers, etc. |
17 |
and the fingerprint is made widely available (mailinglists, IRC topics, |
18 |
etc.). The gentoo developers and some of the gentoo powerusers |
19 |
(hopefully the ones who are most active on the forums, mailinglists, and |
20 |
IRC), sign the trusted@g.o key. |
21 |
|
22 |
We then have the following properties: |
23 |
* everyone knows what the trusted@g.o public key is. |
24 |
* no-one knows, or can possibly find out, what the private key is. |
25 |
* the widespread knowledge of the public key cannot easily be |
26 |
changed. |
27 |
|
28 |
This allows gentoo to distribute signed (by drobbins, seemant and avenj) |
29 |
livecd's and stageballs that contain the public key itself. Users are |
30 |
encouraged to verify these signatures and are told what the signatures |
31 |
not matching means (ie, danger). |
32 |
|
33 |
Let's examine a few things that can go wrong once this is in place: |
34 |
|
35 |
A distfiles mirror is cracked: Lots of users download trojan'd packages, |
36 |
which fail verification against the maintainer's GPG key. The cracker |
37 |
can't fake a signature - that's one of the properties of a digital |
38 |
signature. The mirror admin is notified, mirror is cleaned up. No |
39 |
damage is done - in fact this is probably looks *good* for Gentoo. With |
40 |
the current system, it would be easily possible to compromise hundred's |
41 |
of people's machines. |
42 |
|
43 |
A developer's machine is cracked, and his keys stolen: Fake packages are |
44 |
uploaded, and possibly hundreds of machines are affected. This is pretty |
45 |
bad. The developer issues a revocation of his key, which is propogated |
46 |
in the same way that new keys are, and affected users find out that |
47 |
their machines have been compromised and which specific packages caused |
48 |
it. They can then start rebuilding their machines, or doing forensics, |
49 |
or whatever. Contrast this with the current system, where we have to |
50 |
hope that they hear the announcement, or come on IRC at the right time, |
51 |
or whatever, in which case they have to do a fairly painful manual |
52 |
investigation of all their packages. |
53 |
|
54 |
(Worst case scenario): Drobbins's machine is cracked and his keys are |
55 |
stolen. This is actually not much worse than a developer's keys being |
56 |
stolen. Contrast this with how things are at the moment, which would be |
57 |
disaster. |
58 |
|
59 |
> Adding it is just another way for something to go wrong. |
60 |
|
61 |
This is absolutely true. Public key infrastructure was never designed to |
62 |
stop things going wrong - this is still a hard problem that rests with |
63 |
administrators. What it does do is to make tampering much easier to |
64 |
detect, and when things do go wrong to put them right much more quickly |
65 |
and correctly than would otherwise be possible. |
66 |
|
67 |
I hope I've convinced people this is valuable. |
68 |
|
69 |
-- |
70 |
When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. - Jonathan Swift |
71 |
|
72 |
-- |
73 |
gentoo-dev@g.o mailing list |