Secrecy and user trust

[Bill Davidsen]

Anders Karlsson wrote:
> * Bill Davidsen <davidsen at tmr.com> [20080904 05:29]:
>> Patrick O'Callaghan wrote:
>>> On Wed, 2008-09-03 at 10:30 -0400, Bill Davidsen wrote:
>>>> hardest of all find a secure way to provide the public part of the  
>>>> signing key
>>> The whole point about asymmetric encryption is that you don't need a
>>> secure distribution channel. The worst that can happen is that some fake
>>> public key gets distributed, which won't match the private key and hence
>>> will be instantly detectable.
>>>
>> NAK - if a fake public key were distributed then packages signed with  
>> the fake key would be matched, allowing full access to install crap in  
>> your machine. And packages signed with any valid redhat key would be  
>> rejected.
>>
>> The public key really must be distributed in a secure manner.
> 
> I am sure the infrastructure team is all ears for a detailed
> suggestion on how you believe this should be achieved. And with your
> extensive experience in the field - you ought to be able to provide a
> detailed plan of action.
> 
> It's very easy sitting at the side-line criticising, but actually
> *doing* it is much harder. 

Which is why I made a concrete and readily implemented suggestion that 
the new key be distributed by livna (and/or atrpm, etc) signed with a 
key which is believed to be secure, preferably several of them.

No one claimed that it couldn't be done, or even that it wouldn't work, 
just that it was bad politics to have another repo sign.
> 
> IMHO - we're at the "put up or shut up" point with the criticism now.

I offered a technically viable solution for new key signing and 
distribution, it was rejected for political reasons. Sorry you feel 
that's criticism.
> 
> /Anders
> 


-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot