Re: Revival of the signed debs discussion

To: Werner Koch <wk@gnupg.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Matthias Urlichs <smurf@smurf.noris.de>
Date: Wed, 3 Dec 2003 13:26:02 +0100
Message-id: <[🔎] 20031203122602.GA2549@play.smurf.noris.de>
In-reply-to: <[🔎] 87iskynm0b.fsf@alberti.g10code.de>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070384670.5053.14.camel@worldmusic.grep.be> <[🔎] 20031202184220.GA23655@khazad-dum.debian.net> <[🔎] pan.2003.12.02.21.16.29.11062@smurf.noris.de> <[🔎] 20031203104109.GB30785@grep.be> <[🔎] 20031203110809.GA29957@play.smurf.noris.de> <[🔎] 87iskynm0b.fsf@alberti.g10code.de>

Hi,

Werner Koch:
> There are some minor problems because we don't just sign a hash but
> need to add some more data.  Creating an incomplete hash on the remote
> machine is not the cleanest solution, so I have to come up with a
> better way.
> 
You're the GPG expert...


I'm also a bit concerned about MitM attacks; the hash-or-whatever which
the local side is supposed to sign should probably be encrypted with the
signer's public key, otherwise I can just replace the data packet with
something that ends up signing a totally different file. :-/

In other words, doing this isn't trivial.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf@smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
Show respect for age.  Drink good Scotch for a change.

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Werner Koch <wk@gnupg.org>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Revival of the signed debs discussion
  - From: Werner Koch <wk@gnupg.org>

Prev by Date: Bug#222592: ITP: sks -- Synchronizing OpenPGP Key Server
Next by Date: Re: The term "Custom Debian Distribution" (Was Re: [custom] The term "flavor" and encouraging work on Debian)
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread