security projects thoughts

Arno Hautala arno at alum.wpi.edu
Mon Apr 18 08:25:10 PDT 2011


On Mon, Apr 18, 2011 at 10:35, Jeff Johnson <n3npq at mac.com> wrote:
>
> The actual implementation goes something like this:
>        a keypair is generated
>        just built packages are
>                a) include the pubkey
>                b) signed with the private key
>        and the private key is discarded.
>
> This isn't much different than "self-signed host certs" applied
> to software packages.

It would also seem to carry the same problems and introduce a few new.
It's effectively just saying that "this data is what it says it is".

No one runs a web server that generates a new cert for each page,
asset, or user. And at least with a static self-signed cert you can
run something like Certificate Patrol that informs you if the cert has
changed since you were there last. You can then decide whether to
investigate a cause for the change, if you care.

Maybe I'm missing something, but generating a new key pair for each
package doesn't seem any better than using a larger hash. Or is that
the point?


> A non-repudiable signature as above added to a package delivery
> service is what Jordan has been saying all along.

True, Jordan is advocating (I think) a system where a package is only
able to impact files that are part of the package, as identified by
the UUID. It would seem that some sort of signing would still be
required in order to ensure that an attacker doesn't simply duplicate
the UUID of another package. And then you're back to who to trust.

Have I miscontstrued anything here?

-- 
arno  s  hautala    /-|   arno at alum.wpi.edu

pgp b2c9d448


More information about the macports-dev mailing list