[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From: intrigeri <intrigeri () boum ! org>
Date: 2017-04-12 9:59:30
Message-ID: 85d1cihrp9.fsf () boum ! org
[Download RAW message or body]
Hi,
Joanna Rutkowska:
> Also, in case it wasn't clear: the primary audience for such a DB should be
> developers or admins (e.g. IT department in a large organization), I think. Not
> users. Users are always somehow fated to trust the "last mile" vendor, and there
> is little feasibility in implementing any form of trust distribution for them.
Thanks, this clearly addresses the main question that popped up in my
mind when I first read about this initiative.
Just to make sure I got the idea right, does the following "user"
story convey a good example of the intended use case?
As a person who maintains Tails installations for a number of people
(e.g. to access files sent to SecureDrop), I want to have additional
means of verifying the Tails ISO I've downloaded, on top of the
various verification means (hash downloaded over pinned HTTPS by our
Firefox add-on, OpenPGP detached signature) already made available
by the Tails project.
Given I create a fork of the canonical codehash.db repo
And I regularly merge into my fork the branches from witnesses I trust
When I download a new Tails ISO
And I run some command line
Then I am told which witness certifies I got the same ISO as they did
And I am told which witness certifies I got a different ISO than theirs
Also, did specific admins (IT departments etc.) already express
interest in maintaining + using this? In particular, I'd love to hear
what the SecureDrop folks think about it :) And if not, is there
a plan to reach out to these people so this data is actually used
and useful?
Rationale: before we consider adding one more step to the (already too
long) Tails release process, I want to make sure I get the intended
benefit right :)
Cheers,
--
intrigeri
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic