security projects thoughts

Arno Hautala arno at alum.wpi.edu
Mon Apr 18 09:04:58 PDT 2011


On Mon, Apr 18, 2011 at 11:34, Jeff Johnson <n3npq at mac.com> wrote:
>
> You asked what other systems are in use. I replied. If you
> don't like what is implemented, all I can say is
>        Patches cheerfully accepted.

I asked what systems are in use in order to investigate options for MacPorts.
I'm pointing out an issue that I see with this example.

> What is the connection between a "web server" and "package management"?
> There are serious differences in the implementations and usage cases
> and risk factors involved. You cannot just reason that all "content delivery"
> is the same.

You mentioned non-repudiable signing as used by RedHat to be similar
to "self-signed host certs". I assumed this to be an analogy to web
servers. So I offered a critique of that analogy.

> Not even close to the point if you think more bits in a hash
> is more "secure".

It's at least part of the goal (re: larger hash space, lower chance of
collision).

> A trusted 3rd party registrar for pubkeys as well as including the pubkey
> in signed content (to avoid DoS attacks preventing pubkey retrieval) is
> the basis for the "trust".

I fail to see how trust is achieved from using single use key pairs.
Also, you hadn't previously mention anything about a 3rd party
registrar. If the single use keys are also signed by that 3rd party,
you're back to the issue of who to trust.

These are critiques of the system as presented to be in use by RedHat
and how that might direct MacPorts.

Personally, for trusting the build system, I'm leaning towards
supporting a system that robo-signs packages as they're built.
It might be nice to track ports back to their submitters with key
signing, but it's probably more trouble than it's worth right now. And
there's still the VCS history and Trac.

A leaked robo-key can always be revoked and nothing in effective
security is ever ideal.
Even PGP key signing could be improved by tracing DNA back to most
recent common ancestor.

-- 
arno  s  hautala    /-|   arno at alum.wpi.edu

pgp b2c9d448


More information about the macports-dev mailing list