1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Marc Ballarin wrote: |
5 |
> I think that improperly used signatures are a dangerous placebo. |
6 |
> Developers have to be well aware of how to treat and use their keys. |
7 |
> Users have to be thoroughly educated about the meaning of a signature (ie |
8 |
> which guarantees it gives and which it cannot give). |
9 |
> If this does not happen, there will be a lot of dangerous |
10 |
> misunderstanding and - eventually - bad blood. |
11 |
|
12 |
I find all this talk really strange. Basically, ``let's not implement a |
13 |
security feature, because people might think it provides more security |
14 |
than it does, and blame us when it does not provide that security.'' |
15 |
|
16 |
In fact, this *does* provide a clearly quantifiable security benefit, in |
17 |
that rsync mirrors and channels of distribution (i.e. DNS servers, |
18 |
routers, etc) need not be trusted. Currently, they must be trusted. So |
19 |
this narrows the Trusted Computing Base down quite a bit, to get |
20 |
technical, and anyone can see that this benefits security as a result. |
21 |
Now, how much does it benefit? I don't know of a quanta to measure that in. |
22 |
|
23 |
The point remains that this is a security benefit, and the only |
24 |
arguments I've seen here against it are either that it's overhyped, |
25 |
which is a meaningless argument and no reason not to implement it, or |
26 |
that it's currently too difficult to do, which is not the case. |
27 |
|
28 |
The reason it isn't implemented is becuase it takes a lot of people |
29 |
getting on board before it works, right? Fine. I'm understanding, and |
30 |
not terribly critical. But I think it's delusion to say that this |
31 |
provides no security benefit; objectively, quantitatively, it does. |
32 |
- -- |
33 |
Dan "KrispyKringle" Margolis |
34 |
Security Coordinator/Audit Project, Gentoo Linux |
35 |
-----BEGIN PGP SIGNATURE----- |
36 |
Version: GnuPG v1.2.4 (Darwin) |
37 |
|
38 |
iQEVAwUBQY5iD7DO2aFJ9pv2AQKlcAf/cUmSkPNnAj3v8XQ3YxE0fJ1ynVOuyAt1 |
39 |
k+yPrcuPuz7jk4/+UDAt5MOvVZpaHY8jhNlV5ACPhyp8Dldo6mFIIGHkOYLvIuhr |
40 |
O//tmN0RMkySXw4Lal/nQVD31vSMFUrcpXxnKOSsDXTJ+FeO5lU8hKQAowkuw4L2 |
41 |
t3evkWzvhbDEON9/X0D68tZG1m4dpBxQty+MibPwdtJyZ8tZkcLwr+LXXU2Q6uUn |
42 |
LGPd1KG3wx1faVkNhDFBMbYYWrLemGKnSXVr0c7wkllMJNb83QzbbBA0yvE42jna |
43 |
IDlF4ndH3MGB/N3myo8pfFZTt8WpK+xmOSqTVjTNmap7ImHkIsnI3w== |
44 |
=35tM |
45 |
-----END PGP SIGNATURE----- |
46 |
|
47 |
-- |
48 |
gentoo-security@g.o mailing list |