Re: Package authentication proposal
On Tue, 20 Feb 1996, Carl V Streeter wrote:
[ > > == Stephen Early ]
> My only concern is that it would take a good bit of initial work
> to have confidence in all of the signatures, and a good bit of work
> to get all of the scripts &c set up. But probably worth it in the long haul.
And, of course, Ian would have to make all the necessary changes to dpkg.
> > There is a 'validity' key, held online in dedicated secure
> > hardware. This could be a separate, non-networked machine connected to
> > a networked front-end machine (not necessarily dedicated) by a serial
> > cable. It need not be securely connected to the primary ftp site.
>
> This is the only part that I don't understand. What exactly does having the
> machine being connected via serial cable rather that ethernet buy you?
> It seems "more" secure, but still not secure. Whatever that is ;)
We don't use SLIP or PPP or any general network protocol over the serial
cable. All we can do over it is send certificates for signature, and
receive back signed certificates. It's not possible to log in to the
secure machine remotely; it has no other connections to the outside world.
This is basically just protection against hackers; they can't obtain the
secret part of the validity key without being present at the console. In
slightly more technical terms, it reduces the size of the trusted
computing base.
In practical terms, an extremely low-spec machine can be used as the
trusted one. A 4Mb 386 should be perfectly adequate.
The secure machine won't sign certificates until 24 hours after it
receives them unless the machine's administrator intervenes at the
console. This should only happen after he has contacted the package
maintainer out of band (i.e. by telephone, using the telephone number that
the package maintainer registered at the same time that he had his key
certified).
Hope this makes things a bit clearer,
Steve Early
sde1000@cam.ac.uk
Reply to: