Hey, Xavier is not the only interested by your explanation. He is not the only newbie in this area.
But it raises a few questions: - When I'm a user of apache libraries, and I don't know personally any public key of any member of the apache community, how can I verify that the thing I downloaded is signed by someone member of the project? In other word, how can I obtain the public keys? - Why is apache not being a certificate authority? It would allow to require only one 'authority' signing the private keys. - Why does apache not use some standard and 'universally recognized' certificate authority (like the one recognized by default by most browsers)? Thanks, Gilles > -----Original Message----- > From: Stefan Bodewig [mailto:[EMAIL PROTECTED] > Sent: mardi 17 avril 2007 13:42 > To: [email protected] > Subject: Signing Releases (was Re: [retry] 2.0.0-alpha-1 release: need > somebody to sign files) > > [This is mostly targeted at Xavier and in fact it might have been > better sent off-list. But then I figured I might be giving wrong or > incomplete information. If so somebody around here will correct me or > fill in the missing pieces.] > > The OpenPGP (PGP, GnuPG or whatever you use) signature on a > distribution file fills two purposes: > > (1) It is a checksum just like the md5 or sha1 hashes and helps users to > ensure they've downloaded the correct file and the file hasn't > been tampered. It is more complex to calculate than the md5 > or sha1 checksums and way more difficult to forge. > > (2) Unlike a plain checksum it also says who has created that hash. > > For the purpose of (1) any OpenPGP key will do, so you could just go > ahead and create a key that hasn't been signed by anybody else and use > it. All a user had to do was importing your key and verify the > signature. > > Now, say I wanted to subvert the Ivy release, I want to install a > backdoor so that any project that downloads commons-httpclient > actually picks up a special version that sends all authentication > tokens to a server of mine in addition to working just like good old > httpclient. > > I'd go ahead and put my version of Ivy on the download server - or > maybe just on to some important mirrors - create md5 and sha1 files > myself and off we go. Users verify the checksum and all looks fine. > > If I only attack a mirror there is hope. Hope that people have > actually followed our instructions and didn't download the checksums > from the mirror but from the ASF server directly. The checksums > wouldn't match. > > Now let's assume that I managed to gain access to people.a.o and > modified Ivy there. In a world without PGP signatures nobody is ever > going to notice. > > But there is (2). The signature says who has created it. The > attacker can't sign the distribution with your key unless he also > manages to steal your private key. > > This is true, but nobody is going to stop the attacker from creating a > key that says "I'm Xavier Hanin's key". > > How can I know that the signature you've made has really been made by > you and not by some attacker forging a key that just claims to be > yours? > > Maybe we know each other and you've convinced me that the key with a > given ID is actually yours. Then we are fine. This should be the > case after ApacheCon 8-) > > But if we've never met, signatures on the key used for signing come > into play. Let's assume Steve has signed your key which means he has > publically stated "I have verified this key is Xavier's" and that I > have met Steve and verified his key. I still don't know for sure that > the key is yours but I know Steve thinks it is. This doesn't proof it > is your key (I don't want to go into trust calculations here) but at > least it makes it quite a bit more likely. > > The more signatures are on a key, the bigger the chance that there > will be some chain of a key I know - because I've verified it myself - > to that key. This is why you should strive for getting as many > signatures on your key as possible. > > This is what a key signing party is about. All people who want their > keys signed gather in a room and "proof" their key's to each other. > Different people use different approaches to verify your identity. > Some may want to see you passport (that's why I mentioned it in my > past mail). In order to identify your key, you and the prospective > signer will compare the key's fingerprints. > > If there is no key signing party you should still try to get people to > sign your key. Handing over a scrap of paper with your key > fingerprint will enable people to verify your key once they are in > their hotel room or home or wherever. > > I hope things are less obscure now, or at least not more obscure than > they've been before. 8-) > > Stefan
