| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Wednesday 24 March 2004 15:24, Jesse Nelson wrote: |
| 5 |
> |
| 6 |
> signing @ a file level (even using signed sig files) stops a |
| 7 |
> compromise of a rsync server from being an issue at all. imho a better |
| 8 |
> solution. It does push the problem out to the devs keys or whatever |
| 9 |
> you do for keys.. thats where the peer review and multiple sigs come |
| 10 |
> into play. |
| 11 |
|
| 12 |
I do not oppose normal key revokation to happen next to fast rotation |
| 13 |
based security. (So invalid dev keys can be revoked) We need however to |
| 14 |
have a way to distribute a list of those keys that can sign packages. |
| 15 |
The location of this list can allways be compromised. (One could do a |
| 16 |
DOS on the webnodes where it is stored). The only solution to this is to |
| 17 |
use a short lifetime for such a list. |
| 18 |
|
| 19 |
It is not possible in all cases to actually revoke a key. What if a |
| 20 |
developer leaves gentoo. We can hardly require him to revoke his key if |
| 21 |
he uses it for other identities too. And even if we ask him to, there |
| 22 |
are no guarantees he will. Also using standard web of trust would mean |
| 23 |
that anyone whose key I have signed can sign a package. I don't want |
| 24 |
that as many of those people are not gentoo devs. The only thing my |
| 25 |
signature means is that I verified that they are themselves. |
| 26 |
|
| 27 |
> 100% is totally impracticall but this does double the effort required |
| 28 |
> to compromise integrity. thats not that bad of an optimization really. |
| 29 |
|
| 30 |
It also more than quadruples the efforts needed for actually committing a |
| 31 |
change to an ebuild. As a start we can better have single signing that |
| 32 |
spending months on reorganization and devising a way to have practical |
| 33 |
multiple signing. |
| 34 |
|
| 35 |
The problem is that signing can be done today. Multiple signing will need |
| 36 |
probably at least a half year. |
| 37 |
|
| 38 |
> > Yes, it is. However with over 200 developers changing things |
| 39 |
> > overnight is like trying to change the direction of a mammuth oil |
| 40 |
> > tanker 90 degrees in 15 minutes. It is plain impossible. |
| 41 |
> |
| 42 |
> i totally agree, but im laying out my voice.. 1 sig and 1 signer is |
| 43 |
> really quite easy to get around. 2 is alot harder.. and once you have |
| 44 |
> the process in place for 2 sigs its is not difficult to extend it to |
| 45 |
> 1+X sigs. where each itteratin of X increase trust in package quite |
| 46 |
> alot. |
| 47 |
|
| 48 |
The problem is that with each change to a package all previous signatures |
| 49 |
are invalid (they don't match the package anymore). This means that |
| 50 |
basically when one wants to change a package one must commit and sign it |
| 51 |
yourself. Then find someone who will check the packages again and have |
| 52 |
him sign it again. |
| 53 |
|
| 54 |
We can probably devise a way in which we could allow multiple signatures |
| 55 |
if it were on a file instead of package base. However that would not |
| 56 |
mean that the latest greatest version would be guaranteed multiply |
| 57 |
signed. |
| 58 |
|
| 59 |
Also single or multiple signing does not change the keyring part at all. |
| 60 |
The signing keys still would need to be allowed to sign, so there needs |
| 61 |
to be a list of all keys authorized to sign packages. There is no |
| 62 |
possibility that we can guarantee that we will be able to revoke such a |
| 63 |
list, so the list needs to have a short lifetime as an alternative |
| 64 |
security enhancement. The shorter the lifetime, the safer it is, but |
| 65 |
also more bothersome and resource intensive. 1 day seems to be a good |
| 66 |
compromise. |
| 67 |
|
| 68 |
Paul |
| 69 |
|
| 70 |
- -- |
| 71 |
Paul de Vrieze |
| 72 |
Gentoo Developer |
| 73 |
Mail: pauldv@g.o |
| 74 |
Homepage: http://www.devrieze.net |
| 75 |
-----BEGIN PGP SIGNATURE----- |
| 76 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 77 |
|
| 78 |
iD8DBQFAYaDJbKx5DBjWFdsRAsRkAKCF008sdGP9C9EjsY3MFyY6oz8BCACeIZgh |
| 79 |
bzdrOmYBZ6VgrJ3/9nYwJ9M= |
| 80 |
=/43w |
| 81 |
-----END PGP SIGNATURE----- |
| 82 |
|
| 83 |
-- |
| 84 |
gentoo-dev@g.o mailing list |
Archives