[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Proposal: Implementing signing process for official tarballs
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-26 13:27:44
Message-ID: 4BFD21D0.30903 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 03:19 PM, Joanna Rutkowska wrote:
> On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
>> Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
>>
>> [...]
>>
>>> Digital Signatures can prove that a given file is authentic, i.e. that
>>> is has been indeed created by a person that signed it (e.g. KDE release
>>> manager), and that its contents has not been tampered since then.
>>
>> No, it only proves that a specific key has been used to sign the file
>> (provided that it's hard to forge the signature). It does not prove whether
>> the user or a virus, someone who stole/found the key, … signed it.
>>
>
> That's absolutely true. That's why security of the desktop OS is so
> important. But I made a (silent) assumption that any serious
> developer/package manager, would be using a dedicated machine for
> development/packaging/signing. Specifically would not be using the same
> machine for also browsing the Web, etc.
>
> (In fact this is what Qubes OS is all about: to create this level of
> isolation between VMs and let the user use one psychical machine for
> many different activities).
>
>> [...]
>>
>> I also miss a few words about revocation of compromised keys. That could be
>> user keys which got lost or (worst case) the master key.
>>
>
> There is no automatic key signature revocation mechanism for PGP/GPG
> keys AFAIK. PGP/GPG is different than X509 certificates where special
> revocation protocols exist.
>
> But, the audience in this case is compromised of very technical users
> (mostly distribution builders/packagers), so I think it would be
> reasonable to implement the simplest possible revocation scheme: create
> a dedicated page (or just a text file) hosted at kde.org with the list
> of revoked GPG keys ids, signed with the master signing key. The users
> would be consulting this file before building a package. Additionally,
> every time a developer's key would be revoked, this might also be
> signaled by sending a message to the release-team list.
>
The file listing the revoked keys should be updated every month (or
every week maybe?) and have the current month (week) clearly written in
the file, so that the attacker could not use a previous (also signed)
files instead, and pretend that some newly revoked keys are still valid.
It would be the job of those few master key admins to maintain this
revokation file (well before the first revocation event it might be just
empty).
j.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic