1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Wednesday 24 March 2004 15:24, Jesse Nelson wrote: |
5 |
> |
6 |
> signing @ a file level (even using signed sig files) stops a |
7 |
> compromise of a rsync server from being an issue at all. imho a better |
8 |
> solution. It does push the problem out to the devs keys or whatever |
9 |
> you do for keys.. thats where the peer review and multiple sigs come |
10 |
> into play. |
11 |
|
12 |
I do not oppose normal key revokation to happen next to fast rotation |
13 |
based security. (So invalid dev keys can be revoked) We need however to |
14 |
have a way to distribute a list of those keys that can sign packages. |
15 |
The location of this list can allways be compromised. (One could do a |
16 |
DOS on the webnodes where it is stored). The only solution to this is to |
17 |
use a short lifetime for such a list. |
18 |
|
19 |
It is not possible in all cases to actually revoke a key. What if a |
20 |
developer leaves gentoo. We can hardly require him to revoke his key if |
21 |
he uses it for other identities too. And even if we ask him to, there |
22 |
are no guarantees he will. Also using standard web of trust would mean |
23 |
that anyone whose key I have signed can sign a package. I don't want |
24 |
that as many of those people are not gentoo devs. The only thing my |
25 |
signature means is that I verified that they are themselves. |
26 |
|
27 |
> 100% is totally impracticall but this does double the effort required |
28 |
> to compromise integrity. thats not that bad of an optimization really. |
29 |
|
30 |
It also more than quadruples the efforts needed for actually committing a |
31 |
change to an ebuild. As a start we can better have single signing that |
32 |
spending months on reorganization and devising a way to have practical |
33 |
multiple signing. |
34 |
|
35 |
The problem is that signing can be done today. Multiple signing will need |
36 |
probably at least a half year. |
37 |
|
38 |
> > Yes, it is. However with over 200 developers changing things |
39 |
> > overnight is like trying to change the direction of a mammuth oil |
40 |
> > tanker 90 degrees in 15 minutes. It is plain impossible. |
41 |
> |
42 |
> i totally agree, but im laying out my voice.. 1 sig and 1 signer is |
43 |
> really quite easy to get around. 2 is alot harder.. and once you have |
44 |
> the process in place for 2 sigs its is not difficult to extend it to |
45 |
> 1+X sigs. where each itteratin of X increase trust in package quite |
46 |
> alot. |
47 |
|
48 |
The problem is that with each change to a package all previous signatures |
49 |
are invalid (they don't match the package anymore). This means that |
50 |
basically when one wants to change a package one must commit and sign it |
51 |
yourself. Then find someone who will check the packages again and have |
52 |
him sign it again. |
53 |
|
54 |
We can probably devise a way in which we could allow multiple signatures |
55 |
if it were on a file instead of package base. However that would not |
56 |
mean that the latest greatest version would be guaranteed multiply |
57 |
signed. |
58 |
|
59 |
Also single or multiple signing does not change the keyring part at all. |
60 |
The signing keys still would need to be allowed to sign, so there needs |
61 |
to be a list of all keys authorized to sign packages. There is no |
62 |
possibility that we can guarantee that we will be able to revoke such a |
63 |
list, so the list needs to have a short lifetime as an alternative |
64 |
security enhancement. The shorter the lifetime, the safer it is, but |
65 |
also more bothersome and resource intensive. 1 day seems to be a good |
66 |
compromise. |
67 |
|
68 |
Paul |
69 |
|
70 |
- -- |
71 |
Paul de Vrieze |
72 |
Gentoo Developer |
73 |
Mail: pauldv@g.o |
74 |
Homepage: http://www.devrieze.net |
75 |
-----BEGIN PGP SIGNATURE----- |
76 |
Version: GnuPG v1.2.4 (GNU/Linux) |
77 |
|
78 |
iD8DBQFAYaDJbKx5DBjWFdsRAsRkAKCF008sdGP9C9EjsY3MFyY6oz8BCACeIZgh |
79 |
bzdrOmYBZ6VgrJ3/9nYwJ9M= |
80 |
=/43w |
81 |
-----END PGP SIGNATURE----- |
82 |
|
83 |
-- |
84 |
gentoo-dev@g.o mailing list |