On Mon, Nov 25, 2002 at 09:34:40AM -0500, Michael T. Babcock wrote: > > Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This > > will take weeks and therefore will never happen. b) that we can keep the > > private key secure. This is unlikely. > > Have you participated (without identifying yourself) in any large projects > that currently GPG-sign their sources / binaries? All you have to do is > sign them when you package them. What people want from the signature is > the knowledge that the package is as the author created it and not repackaged > by a third party. We have been over this... > > As for source errors or hidden trojans, that can always happen, but a signed > release lets you announce a patch release, admitting the trojanning and users > know that the new release is also from the usual packaging author. Sure, if the trojaned release didn't compromize the announcement mechanism. The whole point here is not to rely on the website, so we have to be able to get revocation certificates etc from freenet. > > Keeping a private key secure is really easy in this context (use a CD/floppy). > More importantly you can always create private keys with 3 or 6 month expiries > so that you have to create new keys before then and sign them with the old > keys so that anyone who actually compromises the key doesn't gain much. Being > able to revoke GPG/PGP keys makes this almost unnecessary as well (are you > actually familiar with the technology involved in how GPG/PGP work? Go read > the fine manual ... www.gnupg.org). Um, if I am patronized on public key cryptography by another luser, I will scream. Seriously, keeping a private key secure is nigh on impossible even with hardware tokens against any moderately funded opponent. Hence the need for revocation of the insertion key by developers. > > > > with IE or Mozilla for that matter. Please do some research ... > > Signed JAR files go through verisign. That is not good. > > Signed JAR files don't go through verisign; that's one company that offers such > signatures. You don't actually need to use their signatures; see www.openssl.org > or www.openca.org for something more complex. There are open and free ways to > create and manage signing authorities for JARs as well (again, I happen t`o do this > stuff for a living). openca.org looks unfinished. Does it actually have something working? And is it known by Internet Explorer, or at least Mozilla? Web of trust only works when you know somebody else on the web (which is in practice impossibly rare), and a hierarchical system like verisign only works if you trust the corporation, which means a) you have to trust the corporation - a lot of people would be skeptical about this point w.r.t. many of them, and b) you pay a usually significant amount of money to the CA, and c) the CA is a legal body which can be attacked. > > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > This advice brought to you by a lot of cash I didn't charge for the advice ... > http://www.fibrespeed.net/~mbabcock/ >
-- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/
msg02253/pgp00000.pgp
Description: PGP signature
