Crypographically Strong Software Distribution HOWTO
Ben Laurie
ben at algroup.co.uk
Tue Jul 3 14:28:33 EDT 2001
Rich Salz wrote:
>
> > Oh? How? All you are suggesting is that the role key is held by a CA -
> > well, who is that going to be, then?
>
> Unh, no. The same way the ASF determines who gets commit access could
> be teh same way the ASF determines who their CA will give
> release-signing keys to. The same way the ASF takes away someone's
> commit access is the same way they could update the CRL.
>
> All those key update, distribution, revocation, etc., stuff -- all those
> hard problems you said you want to automate -- go away. Recipients need
> only trust the Apache CA and its CRL.
So how does this work in practice? How does an ASF subproject instruct
the CA? How does one that's more divorced from any kind of formal
structure? Seems to me you are introducing a monster security hole
unless you somehow secure the instructions to the CA - and I can't see
how to do that at all - at least, not without doing what I already
proposed (and having the CA as the sole monitor of the correctness of
the process).
If Verisign can be spoofed into signing a Microsoft key, what hope for
this model? None, IMO.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list