security projects thoughts

Daniel J. Luke dluke at geeklair.net
Mon Apr 18 15:42:44 PDT 2011


On Apr 18, 2011, at 3:11 PM, Jeff Johnson wrote:
> 
> On Apr 18, 2011, at 2:40 PM, Daniel J. Luke wrote:
>> I'm asking about creepy uncle joe's skanky package build system that the local coffee shop network has been set up to make look like it's the product of the official build system.
> 
> Creepy uncle joe's skanky build system is detectable with limited RW access
> to an RFC 3161 (or any other means of getting a trusted time stamp that is
> trackable). 

Maybe I'm mis-skimming RFC 3161, but it looks like it would enable you to detect if a package had been modified, but not  verify that a package had been signed by a non-trusted key.

> I do suggest looking
> seriously at one-time keypair generation because it mostly avoids the
> need to protect the private key: the private key exists for only a short
> period of time within a given execution context on TOTBS.

I like the one-time keypair idea, but I guess I don't see the value if you can't verify that the public key is a 'proper' one.

>> ie, something outside of the build system that wants to look like it came from it.
> 
> SO the security ritual would invllve one of two means (largely identical
> because a "trusted" 3rd party is involved):
> 	verify that time stamp in signed package content is/was registered
> 	verify that pubkey in signed package content is/was registered
> The increased trust comes from limiting RW access to to the trusted registrar
> (which is quite simple to cruft up in the TOTBS with certs and firewalls etc).

... you have to trust your connection to the trusted 3rd party ... (one reasonable way might be to dist validation info, a public key or whatever, with MacPorts).

>> I thought the context here was that we can't trust the network to reliably send us to the official server that contains macports packages.
> 
> You have a far broader context. If you want to solve that problem,
> there's nothing I'm saying that stops you from solving whatever problem
> you wish to solve.

OK, so what problem is your suggestion (one-time keypairs) solving? People tampering with the build products after the build system has created them?

> Read the model, not the implementation. I'm discussing a mdel, not
> an implementation, and claiming that binary packaging needs only
> "origin authentication".

Isn't 'origin authentication' validating that a package really came from MacPorts (and not from some other place?). That's what you said above is a 'far broader context'.

--
Daniel J. Luke                                                                   
+========================================================+                        
| *---------------- dluke at geeklair.net ----------------* |                          
| *-------------- http://www.geeklair.net -------------* |                          
+========================================================+                        
|   Opinions expressed are mine and do not necessarily   |                          
|          reflect the opinions of my employer.          |                          
+========================================================+





More information about the macports-dev mailing list