[This is mostly targeted at Xavier and in fact it might have been
better sent off-list. But then I figured I might be giving wrong or
incomplete information. If so somebody around here will correct me or
fill in the missing pieces.]
The OpenPGP (PGP, GnuPG or whatever you use) signature on a
distribution file fills two purposes:
(1) It is a checksum just like the md5 or sha1 hashes and helps users to
ensure they've downloaded the correct file and the file hasn't
been tampered. It is more complex to calculate than the md5
or sha1 checksums and way more difficult to forge.
(2) Unlike a plain checksum it also says who has created that hash.
For the purpose of (1) any OpenPGP key will do, so you could just go
ahead and create a key that hasn't been signed by anybody else and use
it. All a user had to do was importing your key and verify the
signature.
Now, say I wanted to subvert the Ivy release, I want to install a
backdoor so that any project that downloads commons-httpclient
actually picks up a special version that sends all authentication
tokens to a server of mine in addition to working just like good old
httpclient.
I'd go ahead and put my version of Ivy on the download server - or
maybe just on to some important mirrors - create md5 and sha1 files
myself and off we go. Users verify the checksum and all looks fine.
If I only attack a mirror there is hope. Hope that people have
actually followed our instructions and didn't download the checksums
from the mirror but from the ASF server directly. The checksums
wouldn't match.
Now let's assume that I managed to gain access to people.a.o and
modified Ivy there. In a world without PGP signatures nobody is ever
going to notice.
But there is (2). The signature says who has created it. The
attacker can't sign the distribution with your key unless he also
manages to steal your private key.
This is true, but nobody is going to stop the attacker from creating a
key that says "I'm Xavier Hanin's key".
How can I know that the signature you've made has really been made by
you and not by some attacker forging a key that just claims to be
yours?
Maybe we know each other and you've convinced me that the key with a
given ID is actually yours. Then we are fine. This should be the
case after ApacheCon 8-)
But if we've never met, signatures on the key used for signing come
into play. Let's assume Steve has signed your key which means he has
publically stated "I have verified this key is Xavier's" and that I
have met Steve and verified his key. I still don't know for sure that
the key is yours but I know Steve thinks it is. This doesn't proof it
is your key (I don't want to go into trust calculations here) but at
least it makes it quite a bit more likely.
The more signatures are on a key, the bigger the chance that there
will be some chain of a key I know - because I've verified it myself -
to that key. This is why you should strive for getting as many
signatures on your key as possible.
This is what a key signing party is about. All people who want their
keys signed gather in a room and "proof" their key's to each other.
Different people use different approaches to verify your identity.
Some may want to see you passport (that's why I mentioned it in my
past mail). In order to identify your key, you and the prospective
signer will compare the key's fingerprints.
If there is no key signing party you should still try to get people to
sign your key. Handing over a scrap of paper with your key
fingerprint will enable people to verify your key once they are in
their hotel room or home or wherever.
I hope things are less obscure now, or at least not more obscure than
they've been before. 8-)
Stefan
