Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
On Mon, Dec 14, 1998 at 01:38:10PM -0700, Jason Gunthorpe wrote:
>
> On Mon, 14 Dec 1998, Buddha Buck wrote:
>
> > If this isn't the case, then signed email is worthless, since many
> > people can (and to a limited extent, do) write to and modify the
> > message in transit.
>
> Email you know who was supposed to sign it (the sender) and you trust the
> content based on that tag in an intelligent way. So yes someone could
> hijack your mail, remove the signature, resign it with another key and
> change the from address but you would notice that! With an embedded
> signature that can be one of many choices all the attacker has to do is
> break one of the many keys and resign it that one, or insert his key into
> the keyring and sign, etc. This is why digital signatures that we
> distribute with packages have little worth.
Agreed. I believe I made the point before that bsign certs only make
sense when the sysadmin trusts the signature. I can see it being
useful to have debian maintainers sign their binaries as part of a
chain of trust. The SA installs a package and resigns it with his own
key after checking the existing signature against his copy of the
debian keyring. Sure, the debian signature is next to worthless, but
it does establish an audit trail. If someone's key is hacked we can
find where that key was used to authenticate binaries and rout them.
At the moment, if one of our developer's keys is hacked and a
malicious package gets into debian, we can infer which binaries may be
vulnerable, but we cannot perform a simple scan for the compromised
key.
AFAIK, what I am proposing is a primary application for digital
signatures.
Reply to: