'Re: [Secure Desktops] Introducing a public db for software and firmware hashes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secure-desktops
Subject:    Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From:       Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date:       2017-04-14 8:07:27
Message-ID: 20170414080727.GC30521 () work-mutt
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Apr 12, 2017 at 11:59:30AM +0200, intrigeri wrote:
> Hi,
> 
> Joanna Rutkowska:
> > Also, in case it wasn't clear: the primary audience for such a DB should be
> > developers or admins (e.g. IT department in a large organization), I think. Not
> > users. Users are always somehow fated to trust the "last mile" vendor, and there
> > is little feasibility in implementing any form of trust distribution for them.
> 
> Thanks, this clearly addresses the main question that popped up in my
> mind when I first read about this initiative.
> 
> Just to make sure I got the idea right, does the following "user"
> story convey a good example of the intended use case?
> 
>   As a person who maintains Tails installations for a number of people
>   (e.g. to access files sent to SecureDrop), I want to have additional
>   means of verifying the Tails ISO I've downloaded, on top of the
>   various verification means (hash downloaded over pinned HTTPS by our
>   Firefox add-on, OpenPGP detached signature) already made available
>   by the Tails project.
> 
>   Given I create a fork of the canonical codehash.db repo
>   And I regularly merge into my fork the branches from witnesses I trust
>   When I download a new Tails ISO
>   And I run some command line
>   Then I am told which witness certifies I got the same ISO as they did
>   And I am told which witness certifies I got a different ISO than theirs
> 
> Also, did specific admins (IT departments etc.) already express
> interest in maintaining + using this? In particular, I'd love to hear
> what the SecureDrop folks think about it :)  And if not, is there
> a plan to reach out to these people so this data is actually used
> and useful?
> 
> Rationale: before we consider adding one more step to the (already too
> long) Tails release process, I want to make sure I get the intended
> benefit right :)
> 

Hi intrigeri,

Yes, the scenario you described above is exactly what I have had in mind. So
it's all about answering a question: "Am I in the same boast as <some other
person you consider worthwhile to compare with". 

joanna.