--On Tuesday, May 25, 2010 01:33:45 PM -0700 Bart Smaalders
<[email protected]> wrote:
Note that package manifests contain an FMRI, which includes the timestamp
of the date of publication. This is part of the hash text
for the signature, and thus cannot be modified w/o invalidating
all the signatures.
You mean, the timestamp the person creating the signature wishes you to
_believe_ was the date of publication. The two are not necessarily the
same thing. Checking that the key used to create a signature was valid on
some date contained in the signed content is the same as not checking the
expiration at all, because _the signer can lie about the timestamp_.
Expired certs need to be used to check old packages; as long as the
package was signed when the cert was valid we will accept the cert
for that package version.
And how do you know the package is old, as opposed to merely claiming to be
old. How do you know the package was not created yesterday by an attacker
using an expired key which he has compromised?
It needs to be possible to install Solaris 11 many years after FCS from
original media w/o having to ignore signatures.
Yes, it does. But the solution to that problem is not to simply ignore
expiration entirely.
-- Jeffrey T. Hutzelman (N3NHS) <[email protected]>
Carnegie Mellon University - Pittsburgh, PA
_______________________________________________
security-discuss mailing list
[email protected]
