Re: Packages and signatures
On Sat, Jan 27, 2001 at 10:45:12PM -0500, Matt Zimmerman wrote:
> Not so. A compromise of a single server (or even multiple servers) can, with
> finite effort, be cleaned, and the data replaced with known good data (this may
> require restoring from backup, having maintainers upload new packages, etc.).
> Meanwhile, access to the compromised system can be shut down. Development
> would be crippled, but the damage would be contained.
>
> A compromised encryption key is much more difficult to fix. In order to
> control the damage, everyone who is trusting the key must be informed of its
> revocation. Rather than a single point at which to repair the intrusion, there
> exists an arbitrarily large number of them.
You forget compromised packages that would be necessary to track and renew.
Imagine that the site has been compromised for a month, now you need to get
all the people who downloaded packages, all the people who have burn CDs,
redownload/validate their packages. The effort is the same, and it should
be, becasue as I said at the begining of the thread.. adding a key only
validates an existing "flow of trust", it doesn't change its shape.
Reply to: