Re: About GPG-signing the public RSA keys of Debian machines

[David Clymer <david@hrcsb.org>]

On Tue, 2006-10-10 at 21:57 +0200, Florent Rougon wrote:
> [ I think debian-admin have read enough about my request by now, so if
>   you reply about verifying certificates and such, please consider
>   dropping the CC. Thanks. ]
> 
> Kurt Roeckx <kurt@roeckx.be> wrote:
> 
> > See:
> > http://lists.debian.org/debian-project/2006/07/msg00056.html
> > Which has the key in it, and is signed by James Troup.
> 
> Good, thanks. IMHO, this mail should have been sent to dda, as happened
> with the compromize of 2003. This time, there was a mail to dda, ending
> with "We'll post more info as soon as we reasonably can", and nothing
> followed... for those who read dda and not -project. I did search
> through dda before starting this thread, and couldn't find what I was
> looking for (i.e., the new RSA key in a GPG-signed mail).
> 
> > Most Debian hosts should have an /etc/ssh/ssh_known_hosts with all host
> > keys in.  I suggest you read:
> > http://db.debian.org/doc-hosts.html
> 
> I had read that before starting the thread of course, but that doesn't
> point to GPG-signed RSA keys.
> 
> > Anyway, if you don't trust db.debian.org, how did you log in the
> > first time to any Debian machine?
> 
> The first time, yes, I had to trust the advertised key (I checked there
> was nothing obviously weird with the DNS data, but that's about it).
> However, this is not a reason to be careless when ssh warns you about
> the server using a new key.
> 
> And you're actually reinforcing my point: had the RSA keys been
> available in a GPG-signed message on db.debian.org, I would not have had
> to blindly accept the key the first time.
> 
> > I assume you've used https and that you verified the certificate?
> > And saw that it was issued by SPI?  And then you looked up SPI's
> > certificate?  And you found that there is a text file with the SHA1 and
> > MD5 sum signed by Wichert Akkerman?
> 
> Unfortunately, I'm not that competent with certificates. I already wrote
> I gave up when asked whether I trusted some entity in Brazil I had never
> heard about.
> 
> > For those that don't know those files:
> > http://www.spi-inc.org/secretary/spi-ca.crt
> > http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt
> 
> I didn't know these URLs, and I wouldn't bet they are well-known among
> DDs... Anyway, I can verify the GPG sig of spi-ca-fingerprint.txt, but
> then I don't know what the MD5 and SHA1 sums in it correspond to.
> 
> The file contains:
> 
>   MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5
> 
> but unfortunately:
> 
>   % md5sum /etc/ssl/certs/spi-ca.pem
>   33922a1660820e44812e7ddc392878cb  /etc/ssl/certs/spi-ca.pem
> 

Try this:

david@gorilla:~/Desktop$ openssl x509 -md5 -fingerprint < spi-ca.crt |grep MD5
MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5


> And reading /etc/ssl/certs/spi-ca.pem is not very enlightening:
> 
> -----BEGIN CERTIFICATE-----
> MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UE
> 
> [...]
> 
> iexO/AlorB49KnkFS7TjCAoLOZhcg5FaNiKnlstMI5krQmau1Qnb/vGSNsE/UGms
> 1ts+QYPUs0KmGEAFUri2XzLy+aQo9Kw74VBvqnxvaaMeY5yMcKNOieY=
> -----END CERTIFICATE-----
> 

And this:

david@gorilla:~/Desktop$ openssl x509 -text < spi-ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=Indiana, L=Indianapolis, O=Software in the Public Interest, OU=hostmaster, CN=Certification Authority/emailAddress=hostmaster@spi-inc.org
        Validity
            Not Before: Jan 15 16:29:17 2003 GMT
            Not After : Jan 14 16:29:17 2007 GMT
        Subject: C=US, ST=Indiana, L=Indianapolis, O=Software in the Public Interest, OU=hostmaster, CN=Certification Authority/emailAddress=hostmaster@spi-inc.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f0:7a:ad:da:22:2d:1d:d1:a1:db:4c:db:62:cc:
                    71:fc:1f:a9:be:4e:ac:93:65:ed:fc:26:be:c9:20:
                    17:bc:8f:ea:c7:43:d9:b3:9f:0c:85:e1:83:df:39:
                    da:38:58:f3:f9:0b:54:e1:5e:d4:42:c0:2f:63:b2:
                    37:84:40:c6:4d:2b:96:26:50:56:07:93:82:ab:e0:
                    90:e5:48:05:b3:70:82:78:cd:ea:6a:ad:b9:6c:c5:
                    88:f2:fe:35:74:04:c6:ae:34:23:7c:21:33:ee:25:
                    12:2c:12:1d:a5:7e:31:8c:56:6a:73:1d:85:cf:a4:
                    22:64:f9:d0:b2:9f:93:17:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                07:AD:E8:41:1D:7F:BD:D6:BF:1B:81:7A:3F:8C:4B:88:DE:04:D2:FA
            X509v3 Authority Key Identifier:
                keyid:07:AD:E8:41:1D:7F:BD:D6:BF:1B:81:7A:3F:8C:4B:88:DE:04:D2:FA
                DirName:/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certification Authority/emailAddress=hostmaster@spi-inc.org
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        9b:f0:1b:9f:c7:36:cb:59:ce:dd:f8:29:00:8b:25:c6:f8:bd:
        88:d0:59:0e:14:2d:27:45:50:65:8e:b0:81:27:c0:37:20:ce:
        47:80:d6:89:ec:4e:fc:09:68:ac:1e:3d:2a:79:05:4b:b4:e3:
        08:0a:0b:39:98:5c:83:91:5a:36:22:a7:96:cb:4c:23:99:2b:
        42:66:ae:d5:09:db:fe:f1:92:36:c1:3f:50:69:ac:d6:db:3e:
        41:83:d4:b3:42:a6:18:40:05:52:b8:b6:5f:32:f2:f9:a4:28:
        f4:ac:3b:e1:50:6f:aa:7c:6f:69:a3:1e:63:9c:8c:70:a3:4e:
        89:e6
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UE
ChMfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9z
dG1hc3RlcjEgMB4GA1UEAxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJTAjBgkq
hkiG9w0BCQEWFmhvc3RtYXN0ZXJAc3BpLWluYy5vcmcwHhcNMDMwMTE1MTYyOTE3
WhcNMDcwMTE0MTYyOTE3WjCBvjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0luZGlh
bmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMfU29mdHdhcmUgaW4g
dGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1hc3RlcjEgMB4GA1UE
AxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEWFmhvc3Rt
YXN0ZXJAc3BpLWluYy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPB6
rdoiLR3RodtM22LMcfwfqb5OrJNl7fwmvskgF7yP6sdD2bOfDIXhg9852jhY8/kL
VOFe1ELAL2OyN4RAxk0rliZQVgeTgqvgkOVIBbNwgnjN6mqtuWzFiPL+NXQExq40
I3whM+4lEiwSHaV+MYxWanMdhc+kImT50LKfkxcdAgMBAAGjggEfMIIBGzAdBgNV
HQ4EFgQUB63oQR1/vda/G4F6P4xLiN4E0vowgesGA1UdIwSB4zCB4IAUB63oQR1/
vda/G4F6P4xLiN4E0vqhgcSkgcEwgb4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdJ
bmRpYW5hMRUwEwYDVQQHEwxJbmRpYW5hcG9saXMxKDAmBgNVBAoTH1NvZnR3YXJl
IGluIHRoZSBQdWJsaWMgSW50ZXJlc3QxEzARBgNVBAsTCmhvc3RtYXN0ZXIxIDAe
BgNVBAMTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZo
b3N0bWFzdGVyQHNwaS1pbmMub3JnggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEEBQADgYEAm/Abn8c2y1nO3fgpAIslxvi9iNBZDhQtJ0VQZY6wgSfANyDOR4DW
iexO/AlorB49KnkFS7TjCAoLOZhcg5FaNiKnlstMI5krQmau1Qnb/vGSNsE/UGms
1ts+QYPUs0KmGEAFUri2XzLy+aQo9Kw74VBvqnxvaaMeY5yMcKNOieY=
-----END CERTIFICATE-----


-davidc
--
Beauty is in the eye of the beer holder.