security projects thoughts

Jeff Johnson n3npq at mac.com
Mon Apr 18 11:01:38 PDT 2011 

On Apr 18, 2011, at 1:54 PM, Daniel J. Luke wrote:

> On Apr 18, 2011, at 1:50 PM, Jeff Johnson wrote:
>> 
>>> so if someone wants to maliciously inject a package, he/she would have to impersonate the private SKS keyserver in order to be successful, right? I haven't run a keyserver, and am not really familiar with the protocol implementation, so I can't speculate as to whether that would be something that is sufficiently hard to do (presumably, it is cryptographically hard - otherwise it doesn't appear to give any added protection).
>> 
>> Non-repudiable treats all content as "arbitrary". One needs to know the origin reliably,
>> there's too many nuances to "malicious".
>> 
>> So yes indeed: a "malicious" package that traverses the build system will
>> receive a non-repudiable signature just like every other package.
> 
> I'm not asking here about a package traversing the build system, I'm asking about a 3rd party package that has a self-generated signature.
> 

Differentiating a 3rd party package that originated outside of
The One True Build System needs either a trusted time stamp
(which has persistent trackable history) or a pubkey registry.

The issue hare so far hasn't been about 3rd party distributed build systems
and how origin authentication might apply to those other, non-existent,
systems. Heck The MacPorts "package build service" is so far
just a gleem in Jordan's eye ...

> Presumably, an end-user would know it's not an 'official' build product because the public key wouldn't be in the registry (which I guess would be a keyserver).
> 

Yep.

> My question was, how does the client know it's talking to a legitimate keyserver when it's validating the public key from the package.
> 

The usual means of securing pubkey retrieval for validation is to use a different
retrieval channel, with other means of securing the pubkey retrieval that is different
from the actual package signature.

By all means, set up all the usual security rituals if you wish. My point is solely
that binary package distribution needs "origin authentication", not all the rest
of the creepy-toe security ritual fetishism. And "origin authentication" is a mostly
solvable problem with "robo-signing" if resources are short.

73 de Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110418/15c917d7/attachment.bin>

More information about the macports-dev mailing list