Re: Contrasting BSIGN and TRIPWIRE
On Mon, 14 Dec 1998, Oscar Levi wrote:
> I don't agree with your assessment. Embedded signatures can be useful
> to a system administrator if the administrator trusts the signatures.
> For example, she would install a Debian system and run a process to
> resign all of the executables with her own key. During this, the keys
Then why do we need to have signatures? I said that us putting signatures
on the packages is not usefull, the admin signing with their own private
key is entirely different.
> The only advantage of a separate database is to prevent tampering.
> If the administrator is paranoid to have no faith in the encryption,
> then this is the only safe course. However, the strength of
> contemporary encryption is such that some people may feel it is
> appropriate to use embedded ones. I suspect you are not one of
> those. %^)
Encryption in itself is not a magic solution to this problem, only when
used properly in a safe and secure manner does it have meaning.