On 05/28/10 02:51 PM, Brock Pytlik wrote:
On 05/28/10 02:07 PM, Jeffrey Hutzelman wrote:
--On Tuesday, May 25, 2010 01:33:45 PM -0700 Bart Smaalders
<[email protected]> wrote:
Note that package manifests contain an FMRI, which includes the
timestamp
of the date of publication. This is part of the hash text
for the signature, and thus cannot be modified w/o invalidating
all the signatures.
You mean, the timestamp the person creating the signature wishes you
to _believe_ was the date of publication. The two are not
necessarily the same thing. Checking that the key used to create a
signature was valid on some date contained in the signed content is
the same as not checking the expiration at all, because _the signer
can lie about the timestamp_.
Yes, and if you don't trust the publisher, who is the signer, not to
fake the timestamp, don't add them as a publisher to your image
because clearly they shouldn't be trusted to deliver content to your
system either. Note that a third party cannot change the timestamp
without invalidating the publishers original timestamp.
Sorry, I meant "the publisher's original signature" not timestamp.
[snip]
Brock
_______________________________________________
security-discuss mailing list
[email protected]
