security projects thoughts
Daniel J. Luke
dluke at geeklair.net
Mon Apr 18 10:39:34 PDT 2011
On Apr 18, 2011, at 1:00 PM, Jeff Johnson wrote:
>
>> Where is the public key registered? Does the end-user installer do something like:
>
> In the scheme I outline, the package itself "registers" the pubkey.
I was actually interested in how/where the package registers the pubkey (and also how the end-user verifies this registration).
> If you don'y like "self signing", devise something different. There's
> all sorts of ways to register pubkeys. If I'm forced to continue
> with a registrar for RPM, then I will use a private SKS keyserver
> submission and include a RFC 3161 trusted time stamp, most likely
> from the service at startssl.
... and I guess this is the answer?
so if someone wants to maliciously inject a package, he/she would have to impersonate the private SKS keyserver in order to be successful, right? I haven't run a keyserver, and am not really familiar with the protocol implementation, so I can't speculate as to whether that would be something that is sufficiently hard to do (presumably, it is cryptographically hard - otherwise it doesn't appear to give any added protection).
--
Daniel J. Luke
+========================================================+
| *---------------- dluke at geeklair.net ----------------* |
| *-------------- http://www.geeklair.net -------------* |
+========================================================+
| Opinions expressed are mine and do not necessarily |
| reflect the opinions of my employer. |
+========================================================+
More information about the macports-dev
mailing list