Re: Crypto signing of packages
In article <[🔎] 199702181818.TAA17417@oehansen.telia.com> you write:
>Certify a maintainer, and have him send you between-you-two-only key, that
>he will use only for uploads. This key is sent via snail-mail, and signed
>by hand. This should relatively secure that the key in question, is one
>only known by Debian and the Maintainer (a must for secure transition).
And how do you propose to verify the signatures? Far better would be to
send the maintainer key using standard public key encryption and verify
the resulting fingerprint over the phone.
>When a maintainer needs to upload, he sends a request to Debian, stating
>the package he wants to upload. Debian system, then sends back a responce
>telling an instance of when the upload can take place, along with a
>random keyword... crypted with the Maintainer-Debian only key. The
>maintainer can then upload his package, at time given and with the one-time
>only keyword, valid only for that particular package, time and maintainer.
WHAT! As if it took long enough already to get packages uploaded. What is
wrong with using something like ssh or scp to transfer the package? At least
then you have a chance of authenticating the sender and stopping IP spoof
attacks against the upload site. Combine that with package signature testing
and you should be secure against outsiders uploading packages. Of course,
if any other access to the upload machine is available then other attacks
are possible.
The only way to do a "secure" key exchange is in person or with a one-time
pad (FSVO of secure)
Jon.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: