[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS encrypted source for Debian iso signing keys?



On Mon, Jul 02, 2012 at 02:08:08PM -0700, anotst01@fastmail.fm wrote:
> I still do believe a TLS encrypted source to obtain the iso signing keys
> is necessary.

TLS encryption means that
- what travels over the connection is encrypted, and in theory only
  decryptable at the two endpoints
- the identity of the endpoints are authenticated by possession of
  certificates

Neither of these gives you any means of validating the provenance
of the data which you receive.

The GPG signatures let you validate that the content that you
downloaded has not been tampered with since it was signed and that
it is bit-for-bit identical with what the authors signed.  But you
could download it from anywhere, even an untrusted source, and
still be able to validate that it was the genuine article.

> What about the people who live many miles away from the next developer?
> Someone living on an isle should take the next flight just to get the
> gpg keys?

No necessarily.  Suppose you have a friend who has been to a
conference and exchanged signatures with the people he met there.
You can exchange signatures with your friend, and because you
trust him, you also trust the people he trusts.  This is the
principle for how the web of trust operates.

But meeting people directly means you can place a higher level of
trust in them, so it is desirable to do so.  I spent a day travelling
to Manchester from my home town to get my GPG key signed by a
Debian developer so I could initially join the project.  And I
subsequetly built up a collection of many tens of signatures over
the course of a decade, mainly from UK developers, but also from
people in the US, Europe etc.

This is the point of the web of trust--it's strong because it's
based upon physical interaction with other people and validating
their identities.  I can trust that this key is genuine because
I've met several people, who met other people, who met Steve,
Colin, Adam, etc., who then signed the archive signing key.  That
is exceedingly difficult to fake.

> The root CA's are not that bad. How many people do not get MITMed while
> doing stuff like online banking... Scammers use (spear)fishing, breaks
> in root CA's happen but are rare.

As I said above, these are generally used to solve a different
problem.  The actual ISO image is not signed with the certificate,
so the CA and TLS gives you nothing.

But (going off-topic), breaks in CAs do happen, and they issue
certificates to anyone who can pay, doing very little validation.
The security they provide is mostly illusory.  If you could
download the signing keys over TLS, what would that *really*
mean?  The answer is, outside the connection being encrypted,
not much, really.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


Reply to: