[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures



On Sun, Jan 28, 2001 at 03:03:06AM -0300, Nicolás Lichtmaier wrote:

> On Sat, Jan 27, 2001 at 10:45:12PM -0500, Matt Zimmerman wrote:
> > Not so.  A compromise of a single server (or even multiple servers) can,
> > with finite effort, be cleaned, and the data replaced with known good data
> > (this may require restoring from backup, having maintainers upload new
> > packages, etc.).  Meanwhile, access to the compromised system can be shut
> > down.  Development would be crippled, but the damage would be contained.
> 
>  You forget compromised packages that would be necessary to track and renew.
>  Imagine that the site has been compromised for a month, now you need to get
>  all the people who downloaded packages, all the people who have burn CDs,
>  redownload/validate their packages. The effort is the same, and it should
>  be, becasue as I said at the begining of the thread.. adding a key only
>  validates an existing "flow of trust", it doesn't change its shape.

I disagree.  Consider the following two scenarios:

A CD vendor presses a CD using the contents of the archive at time X, and the
archive is compromised at X+k.  The CD vendor does not need to worry about his
CD contents.

A CD vendor burns a CD using signed packages from the archive at time X, and
the key(s) used to sign them is/are compromised at X+k.  The CD vendor has a CD
full of essentially unsigned packages (even though the packages are probably
safe).  The CD vendor needs to press new CDs.

It is not a problem of differing security (it never was), but of validation.

-- 
 - mdz



Reply to: