ANNOUNCE: Review requests

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Fri Mar 18 23:35:43 UTC 2005 

mattdm at mattdm.org (Matthew Miller) writes:

>> GPG signatures are the only reasonable authentication; trusting in
>> web-based logins in the age of auto-login features in webbrowsers is not
>> very wise. Simple webbased logins are vulnerable against weaknesses in
>
> But what's to keep someone from setting up a passphraseless GPG key, or
> holding that in some key manager? It's not really all that different --
> at some level, you've got to trust your trusted developers to follow
> basic good practices.

There is a difference: with simple login (username + passphrase) you
have two options:

1. use everywhere the same logindata which you can remember. Because
   "everywhere" consists usually of lots of webpages in different
   trust-domains, that's a bad idea. When one side gets compromitted
   (e.g. by its administrator), all other will be compromitted also

2. use different logindata. This will be much data which nobody can
   recall after some time. So, you have to use keymanagers or go through
   a remember-password procedure on every login. I do not trust complex
   systems like webbrowsers and think that this should be used for less
   sensitive passwords only.


With GPG, your local system must be compromitted (reading the keyring +
intercepting keyboard-input) that effects like point 1. can happen. With
care (browse the web as a different user which can not read your ~/.gnupg,
do not execute untrusted software...), chances are low that this will
happen.

So I think, that GPG based authentication is much more secure than the
HTTP authentication.


>> I am more concerned about the reactions of the bugzilla developers. Their
>> answers show that they do not understand the underlying HTTP protocol. IP
>> based authentication must never be used for public HTTP services; you do
>> not gain any security by it but it destroys functionality.
>
> C'mon, you're overstating. You gain some security by it.

As I wrote in the bugreport, you can gain security also by cutting the
powercable. But like IP based auth, this destroys functionality a little
bit...




Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050319/31c0d138/attachment.sig>

More information about the fedora-extras-list mailing list