the problem is (as you wrote) 'supposed to be verified out-of-band'.
for some less technical people, even verifying the signature is a huge
step.
i am a fan of providing easy accessible security and using already
existing infrastructure. (in case of the dom0 repo, an ultimately
trusted source).
I'm weary of calling the dom0 repo an ultimately trusted source, as it implies
trust in all the related infrastructure (DNS, CAs, etc.) Package managers
follow a trusted objects model. Each package's signature is verified before
installing, meaning trust of the repo is not required.
ok, i was a bit imprecise.
i meant: packages loaded and verified (via signatures) from the repo for
dom0 can be considered ultimately trusted.
if one of the installed packages of the dom0 repo is compromised, we
have an attacker in do0 and it is game-over.
so we can assume these packages are ultimately trusted.
In either case however, a signing key must be distributed in such a fashion
that it can be verified and, as such, Im not sure if this offers anything other
than a wrapper around the signature verification step.
if you distribute the key with the os and it is living in dom0, it can
only be changed by someone in dom0 -> game-over
so: if the key is compromised, you cant trust anything on this machine
either it was somehow compromised during usage, or it was compromised
from the beginning (via a compromised installation image)
if the key is in dom0 and you want to verify it over a different
channel, you can load it into some vm and do this there.
the wrapper-function to download and check images is just convenience
for a non-technical user.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e0f4abff-a9d0-a1f4-72f3-c26ae643ab19%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
