security projects thoughts

Daniel J. Luke dluke at geeklair.net
Mon Apr 18 11:16:53 PDT 2011 

On Apr 18, 2011, at 2:01 PM, Jeff Johnson wrote:
> 
> Differentiating a 3rd party package that originated outside of
> The One True Build System needs either a trusted time stamp

how does a trusted time stamp tell you that the origin wasn't from the one true build system?

> (which has persistent trackable history) or a pubkey registry.
> 
> The issue hare so far hasn't been about 3rd party distributed build systems
> and how origin authentication might apply to those other, non-existent,
> systems. Heck The MacPorts "package build service" is so far
> just a gleem in Jordan's eye ...

I thought that the problem this was supposed to fix was to prevent installation of rogue packages (but maybe I misunderstood)?

>> My question was, how does the client know it's talking to a legitimate keyserver when it's validating the public key from the package.
> 
> The usual means of securing pubkey retrieval for validation is to use a different
> retrieval channel, with other means of securing the pubkey retrieval that is different
> from the actual package signature.

Anyone who is going to the trouble to impersonate the package server (route mangling, DNS hijacking, whatever) can also redirect flows meant for pubkey validation. I don't see what the signature buys if it can't be reliably verified.

I don't necessarily have an answer for the problem either (I suppose the official clients could have some auth token they could use to validate the pubkey registration server).

> By all means, set up all the usual security rituals if you wish.

I don't :)

> My point is solely
> that binary package distribution needs "origin authentication", not all the rest
> of the creepy-toe security ritual fetishism. And "origin authentication" is a mostly
> solvable problem with "robo-signing" if resources are short.

It sounds good to me. I'm just trying to wrap my head around it.

--
Daniel J. Luke                                                                   
+========================================================+                        
| *---------------- dluke at geeklair.net ----------------* |                          
| *-------------- http://www.geeklair.net -------------* |                          
+========================================================+                        
|   Opinions expressed are mine and do not necessarily   |                          
|          reflect the opinions of my employer.          |                          
+========================================================+

More information about the macports-dev mailing list