Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files

To: Jason Gunthorpe <jgg@ualberta.ca>
Cc: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
From: Oscar Levi <elf@buici.com>
Date: Tue, 15 Dec 1998 02:40:35 -0800
Message-id: <[🔎] 19981215024035.B17550@hazel.buici.com>
In-reply-to: <[🔎] Pine.LNX.3.96.981214141341.4746J-100000@wakko>; from Jason Gunthorpe on Mon, Dec 14, 1998 at 02:15:21PM -0700
References: <[🔎] 19981214130902.I17178@hazel.buici.com> <[🔎] Pine.LNX.3.96.981214141341.4746J-100000@wakko>

On Mon, Dec 14, 1998 at 02:15:21PM -0700, Jason Gunthorpe wrote:
> 
> On Mon, 14 Dec 1998, Oscar Levi wrote:
> 
> > Agreed.  I believe I made the point before that bsign certs only make
> > sense when the sysadmin trusts the signature.  I can see it being
> > useful to have debian maintainers sign their binaries as part of a
> > chain of trust.  The SA installs a package and resigns it with his own
> > key after checking the existing signature against his copy of the
> > debian keyring.  Sure, the debian signature is next to worthless, but
> > it does establish an audit trail.  If someone's key is hacked we can
> > find where that key was used to authenticate binaries and rout them.
> 
> We already have an auidt trail, it's called the .dsc file. If you get a
> package that has hacked programs in it then we can match them against our
> .deb and .dsc to see if they came from us, and see who uploaded them.
> Individual file authentication is no better.

I don't agree.  It is infinitely easier to run a simple script against
the files on a machine looking for signatures than it is to crosscheck
the files against another database.  If I have a machine where the
pernicious infiltrator has tampered with the /var/lib/dpkg directories
or has otherwise obscured the trojan horse, the DSC's and DEBs don't
help.  If something goes out-of-sync with the dpkg trail, I may not
know who is responsible for which files on a given machine.  The only
way to verify a system in a *predictable* amount of time is to require
a tattoo on every binary.

Look, I have no intention of trying to force this on anyone.  If
developers what to sign their binaries, fine.  I they don't fine.  If
debian makes it a policy that no one can sign their binaries, well
that would be odd.  Really, the only signature that is important is
one that the SA recognizes and trusts.  Developers who sign their
binaries will do so because they think it adds value.

I'm looking for feedback to make sure nothing is overlooked.  You
comments are appreciated.

Cheers.

Reply to:

References:
- Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
  - From: Oscar Levi <elf@buici.com>
- Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Intent to package: Blacklisted (and others)
Next by Date: Re: debian list summaries
Previous by thread: Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
Next by thread: Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
Index(es):
- Date
- Thread