Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] autorpm and latest secure files
  • From: dproc <dproc@xxxxxxx>
  • Date: Sun, 13 Aug 2000 17:10:41 -0400
  • Message-id: <20000813171041.A519@xxxxxxxxxxxxxxx>
On Sat, 12 Aug 2000, Kurt Seifried wrote:

> > If an attacker trojaned your local
> > GnuPG binary or tampered with your public keyring, he could get false
> > signatures past you.
>
> This is just as true for the md5sum or sha1 binary on your system! You don't
> really "lose" anything. If the attacker can replace these binaries that
> means he has root locally on your system. This also means he can replace

Kurt is (almost) right. Although my public keyring is owner user
(not root), in theory my user account is just as secure as root. I
was wrong.

> I am much more
> worried about someone running a mirror site and that site getting
> compromised (like ftp.win.tue.nl), the attacker trojans the files and
> md5sums on the remote site, users download and everything appears ok. With
> GnuPG that would not be possible,

I agree with Kurt and Volker here. I always did. I am sorry I was
not clear. gpg signed distribution would be a *huge step forward*

> the attacker would have to break into the
> SuSE machine used to sign packages. I assume this machine is NOT online,
> i.e. they have removable media such as a jaz drive to move the data, meaning
<SNIP>
> "may be shared".
<SNIP>
> Can we stick to facts instead of making them up?

I am sure key security at suse and redhat is good. But I know that
Roman and Marc and Thomas all sign email announcements with the same
security@xxxxxxxx private key. I suspect that Red Hat is the same.

I expect my guess that they have their own copies was wrong. It is
perfectly reasonable that they carry their email on sneakernet to an
isolated signing machine, sign it, then copy the signed email back to
their networked workstation.

Even if their security is weaker than this 'best practice' gpg/pgp
signing is still *a good thing*.

>
> > BTW IMHO the key doesn't need to be on the CD to be trusted. The SuSE
> > key fingerprint is in chapter 18 of the manual. If you get a paper
> > manual it is reasonably independent of the Internet.

I mean their pgp2 key fingerprint.

> GnuPG key disitribution is a *LOT* easier, you only have to do it once,

gpg key distribution is no easier or harder than pgp, is it? It is
much easier than md5 fingerprints - which have some technical problems
as well as needing the secure channel of suse's pgp-signed
announcements.

dproc



< Previous Next >
Follow Ups