You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2005/12/22 06:33:23 UTC

Re: way for an sa-update channel to specify that GPG keys are required

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Theo Van Dinter writes:
> On Wed, Dec 21, 2005 at 08:22:30PM -0800, Justin Mason wrote:
> >     gpg-signed 4598349584 http://url/of/GPG.KEYS
> > 
> > ie. a keyid that must be present on the files for the update to be valid,
> > and an URL that that keyid's public key can be found if it isn't already
> > on the keyring.
> > 
> > If that line is in MIRRORED.BY, and the update isn't signed by that key,
> > or that key isn't on the caller's keyring, the update fails and the
> > URL is output.
> 
> If I can hijack your request for the MIRRORED.BY file, then I can 0wn
> your box.  The current method requires the person running sa-update to
> specify what key(s) they trust (or just accept the default/built-in keys).
> Therefore, I can try hijacking any one of your connections I want,
> you won't trust the file I send you.

I forgot to mention ;) -- but this would be incremental.  The keyid in
question would have to be already listed in sa-update, or on the
commandline, therefore the hijacker would have to hijack those methods
*too*.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDqjqjMJF5cimLx9ARArCQAJ4lMGgLTtplHw6JjuAfoF7K48VNXACgpWTP
d0B4Ifj07wjt+6AP31eOlQ0=
=J6VF
-----END PGP SIGNATURE-----

Re: way for an sa-update channel to specify that GPG keys are required

Posted by Theo Van Dinter <fe...@apache.org>.

On Wed, Dec 21, 2005 at 09:33:23PM -0800, Justin Mason wrote:
> > >     gpg-signed 4598349584 http://url/of/GPG.KEYS
> 
> I forgot to mention ;) -- but this would be incremental.  The keyid in
> question would have to be already listed in sa-update, or on the
> commandline, therefore the hijacker would have to hijack those methods
> *too*.

I don't think this is a useful feature.  First, the key already has to
be listed.  Second, we don't want to randomly download and import a key
from an URL in a random file.  Third, I really don't like the idea that
the publisher forces the client to do things.  If the client doesn't want
to do GPG, they shouldn't be forced to use it.  I think enabling GPG by
default (which it is) gets the point across that it's highly recommended
to use it all the time.  There's no benefit in that situation to have
the channel also specify that gpg must be used.

-- 
Randomly Generated Tagline:
The trained mind does not need a watch. Watches are a confidence trick
 invented by the Swiss.  - Chiun in Remo Williams: The Saga Begins