security projects thoughts

Jeff Johnson n3npq at mac.com
Mon Apr 18 08:34:32 PDT 2011


On Apr 18, 2011, at 11:25 AM, Arno Hautala wrote:

> On Mon, Apr 18, 2011 at 10:35, Jeff Johnson <n3npq at mac.com> wrote:
>> 
>> The actual implementation goes something like this:
>>        a keypair is generated
>>        just built packages are
>>                a) include the pubkey
>>                b) signed with the private key
>>        and the private key is discarded.
>> 
>> This isn't much different than "self-signed host certs" applied
>> to software packages.
> 
> It would also seem to carry the same problems and introduce a few new.
> It's effectively just saying that "this data is what it says it is".
> 

You asked what other systems are in use. I replied. If you
don't like what is implemented, all I can say is
	Patches cheerfully accepted.

> No one runs a web server that generates a new cert for each page,
> asset, or user. And at least with a static self-signed cert you can
> run something like Certificate Patrol that informs you if the cert has
> changed since you were there last. You can then decide whether to
> investigate a cause for the change, if you care.
> 

What is the connection between a "web server" and "package management"?
There are serious differences in the implementations and usage cases
and risk factors involved. You cannot just reason that all "content delivery"
is the same.

> Maybe I'm missing something, but generating a new key pair for each
> package doesn't seem any better than using a larger hash. Or is that
> the point?
> 

Not even close to the point if you think more bits in a hash
is more "secure".

A trusted 3rd party registrar for pubkeys as well as including the pubkey
in signed content (to avoid DoS attacks preventing pubkey retrieval) is
the basis for the "trust".

> 
>> A non-repudiable signature as above added to a package delivery
>> service is what Jordan has been saying all along.
> 
> True, Jordan is advocating (I think) a system where a package is only
> able to impact files that are part of the package, as identified by
> the UUID. It would seem that some sort of signing would still be
> required in order to ensure that an attacker doesn't simply duplicate
> the UUID of another package. And then you're back to who to trust.
> 
> Have I miscontstrued anything here?
> 

Dunno. You asked what other "package managers" are doing.

I replied, nothing more.

Ask Jordan what Jordan is doing. IMHO, the idea for a "package service"
is KISSier for "package management" than any other scheme I know of.

73 de Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110418/7b73a957/attachment.bin>


More information about the macports-dev mailing list