On Fri, Nov 21, 2003 at 11:38:55PM -0500, Lisa Seelye wrote:
> If the key server/signature is compromised you have gained nothing over
> the way we have it now.
This isn't true. GPG *can* be done with trusted keyservers, but as
you point out that's silly. The best way to do it is with the web of
trust. We generate a key for [EMAIL PROTECTED], who signs, say,
avenj's, drobbins's, and seemant's keys, and is then removed from the
computer and put onto 3 or so CD's (for redundancy), which are locked
away in a safe. avenj, drobbins and seemant go around signing every
developer's key (this is the hardest part because it shouldn't be
autmated).
The public key for [EMAIL PROTECTED] is then posted to an area of
gentoo.org, made available on the mirrors, posted to keyservers, etc.
and the fingerprint is made widely available (mailinglists, IRC topics,
etc.). The gentoo developers and some of the gentoo powerusers
(hopefully the ones who are most active on the forums, mailinglists, and
IRC), sign the [EMAIL PROTECTED] key.
We then have the following properties:
* everyone knows what the [EMAIL PROTECTED] public key is.
* no-one knows, or can possibly find out, what the private key is.
* the widespread knowledge of the public key cannot easily be
changed.
This allows gentoo to distribute signed (by drobbins, seemant and avenj)
livecd's and stageballs that contain the public key itself. Users are
encouraged to verify these signatures and are told what the signatures
not matching means (ie, danger).
Let's examine a few things that can go wrong once this is in place:
A distfiles mirror is cracked: Lots of users download trojan'd packages,
which fail verification against the maintainer's GPG key. The cracker
can't fake a signature - that's one of the properties of a digital
signature. The mirror admin is notified, mirror is cleaned up. No
damage is done - in fact this is probably looks *good* for Gentoo. With
the current system, it would be easily possible to compromise hundred's
of people's machines.
A developer's machine is cracked, and his keys stolen: Fake packages are
uploaded, and possibly hundreds of machines are affected. This is pretty
bad. The developer issues a revocation of his key, which is propogated
in the same way that new keys are, and affected users find out that
their machines have been compromised and which specific packages caused
it. They can then start rebuilding their machines, or doing forensics,
or whatever. Contrast this with the current system, where we have to
hope that they hear the announcement, or come on IRC at the right time,
or whatever, in which case they have to do a fairly painful manual
investigation of all their packages.
(Worst case scenario): Drobbins's machine is cracked and his keys are
stolen. This is actually not much worse than a developer's keys being
stolen. Contrast this with how things are at the moment, which would be
disaster.
> Adding it is just another way for something to go wrong.
This is absolutely true. Public key infrastructure was never designed to
stop things going wrong - this is still a hard problem that rests with
administrators. What it does do is to make tampering much easier to
detect, and when things do go wrong to put them right much more quickly
and correctly than would otherwise be possible.
I hope I've convinced people this is valuable.
--
When a true genius appears in the world, you may know him by this sign, that the
dunces are all in confederacy against him. - Jonathan Swift
--
[EMAIL PROTECTED] mailing list
