On Jan 18, 2016, at 5:56 AM, Jeff Johnson wrote:
>>
>> I do not understand what non-repudiable means :(
>>
>
> Apologies for the techno jargon (but I am reluctant to invent newer! better!
> bestest! terms)
>
> A repudiation is a statement denying some claim like this:
> Q: Did you modify anything in the package?
> A: No.
>
> So a non-repudiable signature is a public/global assertion that nothing
> whatsoever is changed.
Here is perhaps a better (i.e. more explicit) example of repudiation(s):
Claim: My machine was rooted by installing a *Mandriva
rpm package from this mirror.
Repudiation #1: That package wasn't downloaded from this mirror.
Repudiation #2: That is not a *Mandriva package because its not signed
with a Mandriva key.
Repudiation #3: That is not a package produced by rpm because (various
reasons, like the
package might have been altered after being built).
By including a non-repudiable signature, #3 provides a stronger/transparent
mechanism that a
package was not altered after being built.
By registering a manifest with virtual-notary, *Mandriva would be providing
some means to resolve
the issues associated with #1 and #2, and avoiding issues related to "official"
key compromises.
hth
73 de Jeff
_______________________________________________
OM-Cooker mailing list
[email protected]
http://ml.openmandriva.org/mailman/listinfo/om-cooker_ml.openmandriva.org
