You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Lars Eilebrecht <La...@unix-ag.org> on 1997/10/21 17:34:36 UTC

PGP key (was Re: 1.3b2 tarball)

Hi,

> Because that is useless.  The purpose is not just to verify that mirrors
> are correct (md5 checksums do that), but also to verify that the
> distribution source hasn't been hacked.
> 
> That requires that developers independently sign it using their own key
> which is not vulnerable if taz is compromised.

If taz is compromised the key can be revoked.
Anyway a dedicated Apache Group PGP key maybe still a good idea, if it
is kept on taz or on the members private machines... (IMHO)

BTW, here is snipped from PR#1283: 

>Synopsis:       PGP Public Keys not publically registered
>Originator:     russell@pilot.net

For the suitably paranoid, it's a bad thing (tm) that current distribution
of the Apache source does not have a publically available PGP Public Key that
is associated with it (ie. looking up key A0BB71C1 fails on any public key
server).

The point of this is that, if we're really worried about source tampering on
the Apache FTP site it is conceivable that the keyfiles and signatures out there
are also prone to the same problem - put simply, if the source file on one
machine is tampered with on a given machine it's pretty reasonable to assume that
the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying
the usefullness of the information they are designed to protect.
>How-To-Repeat:
Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
>Fix:
Register the keys officially (see http://pgp.mit.edu/)
>Audit-Trail:
>Unformatted:


ciao...
-- 
Lars Eilebrecht
sfx@unix-ag.org

Re: PGP key (was Re: 1.3b2 tarball)

Posted by Marc Slemko <ma...@worldgate.com>.

On Tue, 21 Oct 1997, Lars Eilebrecht wrote:

> Hi,
> 
> > Because that is useless.  The purpose is not just to verify that mirrors
> > are correct (md5 checksums do that), but also to verify that the
> > distribution source hasn't been hacked.
> > 
> > That requires that developers independently sign it using their own key
> > which is not vulnerable if taz is compromised.
> 
> If taz is compromised the key can be revoked.

By the point it is far too late.  If we find taz is compromised then we
damn well better verify the source distributions at that time and fix them
if they have been tampered with.  After that, revoking the key does
nothing except tell people that the key you trusted to install that
program isn't valid any more.  Haha, too late.

> Anyway a dedicated Apache Group PGP key maybe still a good idea, if it
> is kept on taz or on the members private machines... (IMHO)
> 
> BTW, here is snipped from PR#1283: 
> 
> >Synopsis:       PGP Public Keys not publically registered
> >Originator:     russell@pilot.net
> 
> For the suitably paranoid, it's a bad thing (tm) that current distribution
> of the Apache source does not have a publically available PGP Public Key that
> is associated with it (ie. looking up key A0BB71C1 fails on any public key
> server).
> 
> The point of this is that, if we're really worried about source tampering on
> the Apache FTP site it is conceivable that the keyfiles and signatures out there
> are also prone to the same problem - put simply, if the source file on one
> machine is tampered with on a given machine it's pretty reasonable to assume that
> the keyfile/sigs will also be modified (ie. tampered with) therefore nullifying
> the usefullness of the information they are designed to protect.
> >How-To-Repeat:
> Try looking up the keys on a Public Key Server (http://pgp.mit.edu/)
> >Fix:
> Register the keys officially (see http://pgp.mit.edu/)
> >Audit-Trail:
> >Unformatted:
> 
> 
> ciao...
> -- 
> Lars Eilebrecht
> sfx@unix-ag.org
>