[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About GPG-signing the public RSA keys of Debian machines

[ I think debian-admin have read enough about my request by now, so if
  you reply about verifying certificates and such, please consider
  dropping the CC. Thanks. ]

Kurt Roeckx <kurt@roeckx.be> wrote:

> See:
> http://lists.debian.org/debian-project/2006/07/msg00056.html
> Which has the key in it, and is signed by James Troup.

Good, thanks. IMHO, this mail should have been sent to dda, as happened
with the compromize of 2003. This time, there was a mail to dda, ending
with "We'll post more info as soon as we reasonably can", and nothing
followed... for those who read dda and not -project. I did search
through dda before starting this thread, and couldn't find what I was
looking for (i.e., the new RSA key in a GPG-signed mail).

> Most Debian hosts should have an /etc/ssh/ssh_known_hosts with all host
> keys in.  I suggest you read:
> http://db.debian.org/doc-hosts.html

I had read that before starting the thread of course, but that doesn't
point to GPG-signed RSA keys.

> Anyway, if you don't trust db.debian.org, how did you log in the
> first time to any Debian machine?

The first time, yes, I had to trust the advertised key (I checked there
was nothing obviously weird with the DNS data, but that's about it).
However, this is not a reason to be careless when ssh warns you about
the server using a new key.

And you're actually reinforcing my point: had the RSA keys been
available in a GPG-signed message on db.debian.org, I would not have had
to blindly accept the key the first time.

> I assume you've used https and that you verified the certificate?
> And saw that it was issued by SPI?  And then you looked up SPI's
> certificate?  And you found that there is a text file with the SHA1 and
> MD5 sum signed by Wichert Akkerman?

Unfortunately, I'm not that competent with certificates. I already wrote
I gave up when asked whether I trusted some entity in Brazil I had never
heard about.

> For those that don't know those files:
> http://www.spi-inc.org/secretary/spi-ca.crt
> http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt

I didn't know these URLs, and I wouldn't bet they are well-known among
DDs... Anyway, I can verify the GPG sig of spi-ca-fingerprint.txt, but
then I don't know what the MD5 and SHA1 sums in it correspond to.

The file contains:

  MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5

but unfortunately:

  % md5sum /etc/ssl/certs/spi-ca.pem
  33922a1660820e44812e7ddc392878cb  /etc/ssl/certs/spi-ca.pem

And reading /etc/ssl/certs/spi-ca.pem is not very enlightening:

-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UE

[...]

iexO/AlorB49KnkFS7TjCAoLOZhcg5FaNiKnlstMI5krQmau1Qnb/vGSNsE/UGms
1ts+QYPUs0KmGEAFUri2XzLy+aQo9Kw74VBvqnxvaaMeY5yMcKNOieY=
-----END CERTIFICATE-----

It would be nice to have the whole procedure for verifying the
authenticity of the certificates documented somewhere...

Thanks for your reply.

-- 
Florent
Reply to: