Secrecy and user trust

Bill Davidsen davidsen at tmr.com
Mon Sep 8 00:27:00 UTC 2008 

Ed Greshko wrote:
> Ed Greshko wrote:
>> It would be very nice if someone would fully define what they mean by
>> the very vague term "fake key".
>>   
I think most of us would mean a key created by someone not part of the 
Fedora project, and which is intended to convince users that it is, in 
fact, a key created and distributed by the Fedora project and used to 
sign official releases.

I speak only for me, of course.

> And along with that, define the method used to distribute said key in a
> manner that would be oblivious to the all end users.  It has to be
> oblivious to all end users such that nobody would be able to raise an
> alarm in a reasonable amount of time.

Here we disagree. That's like saying that spam has to fool all readers 
to be worth doing. If an unauthorized key is used to cause users to 
install unauthorized software, then it has achieved its purpose. Note 
that the purpose is yet unclear, and may not exist, but once such an 
install takes place it could fo any or all of the following:
- steal information from a user system
- use the user system to run untrusted executables (or any kind)
- damage the reputation of Fedora and Red Hat
- damage the reputation and user trust of Linux in general
   for the purpose of reducing use of Linux vs. other operating systems

I rate the first two as likely, the third as a possible effect even if 
unintended, and the last as another possible effect, which might be 
intended.
> 
> If the public/private key methods employed today are as easy to
> penetrate and subvert as some seem to be claiming then one has to
> question why  it hasn't already been done.
> 
It has already been proved to be possible, so discussion of how easy it 
is or way is irrelevant, at least to me.

The new public key could be distributed from the master Red Hat servers, 
not from mirrors, which would allow validation of the content by the 
validity of the SSL certificate. Once a trusted signature is available, 
all other packages, from mirror or torrent, could be properly validated.

While this is inconvenient, it is also as secure as the original, and 
not readily vulnerable to attacks in the distribution, since middlemen 
are not involved. And once the key is out for a few days, and many users 
have it and can quickly compare it to any other key distributed by other 
means, then it can be sent out in a more convenient manner if people 
really feel the need to trade some security for ease of use.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list