Secrecy and user trust

jdow jdow at earthlink.net
Fri Sep 5 18:55:57 UTC 2008 

From: "Bill Davidsen" <davidsen at tmr.com>
Sent: Friday, 2008, September 05 06:59


> Jeff Spaleta wrote:
> 
>> If you want to be security paranoid concerning the validity of the new
>> key when it becomes available.. go right ahead.. be paranoid about it.
>>  But if you need 3rd parties to sign off on the key before you use it,
>> then you should already have been talking to 3rd parties about doing
>> it for the last Fedora key. Talk to the 3rd parties.. get them to
>> agree to sign the new key and put the detached signatures somewhere
>> public.
>> 
> This is a (hopefully) one-time problem, and therefore it probably 
> doesn't need a perfect, automated, runs-by-itelf solution. And my 
> assumption has been that some people at other repositories do personally 
> know and interact with official people in the Fedora project, and that 
> there is an out-of-band way to pass information to the people at some 
> other repository. Given the nature of the problem, that could mean 
> carrying a CD a hundred miles to meet with someone who is personally 
> known to you from a presentation, etc, etc. It need not be pretty, let's 
> assume that this is a one-time problem.
> 
> The the other repository creates an RPM, containing not the key, but the 
> RPM created by Fedora, signed appropriately, which in turn contains the 
> new key, and distributes an RPM which installs an RPM, which rpm (the 
> program) now knows how to handle. So instead of signing a key, they 
> create and sign an RPM which itself contains an RPM, which can be 
> manually installed by the cautious.
> 
> Does that satisfy the technical issues you raised? It's what I had in 
> mind initially, when I proposed a secure means of distributing the 
> information. I know it's ugly, but it's a one night stand.

Psssst - come over here in the corner while I whisper in your ear about
companies like Verisign. That WOULD solve the problem. It would also
violate the Open Source concept of Fedora upsetting the purists.

If you download initially from Fedora then you either trust the connection
today or you do not. And some mechanism needs to be invented that can
declare "trust old key for items dated older than XXX. After that trust
only this new key until YYY, after which you will need an even newer key."

That's probably the infrastructure improvements they mumbled about in
their status reports.

{^_-}

More information about the fedora-list mailing list