A mighty fortress is our PKI, Part II

Jerry Leichter leichter at lrw.com
Tue Aug 17 16:56:19 EDT 2010

On Aug 17, 2010, at 4:20 AM, Peter Gutmann wrote:
>  Your code-signing system should create a tamper-resistant audit  
> trail [0] of
>  every signature applied and what it's applied to.
> Peter.
> [0] By this I don't mean the usual cryptographic Rube-Goldbergery,  
> just log
>    the details to a separate server with a two-phase commit protocol  
> to
>    minimise the chances of creation of phantom non-logged signatures.
...thus once again demonstrating how much of good cryptographic  
practice is just good engineering/release management practice.

A number of years ago, in addition to being in charge of much of the  
software development, I had the system management organization of the  
small software maker I worked at reporting to me.  I formalized a  
process that the (already well run) organization already had in  
place.  Any time *any* build of the software "left the building", even  
if just for a demo, we marked that build as "locked".  We would never  
delete a "locked" build without a careful determination that it was,  
in fact, "dead":  No longer in use at any customer.     We also,  
within 24 hours, did a special backup of the build onto a tape that  
went into permanent off-site storage.

The one time I know of that we didn't follow these procedures (before  
they were officially put into place), a very large customer, at their  
insistence and after the sales guy who dealt with them swore they  
agreed to delete the copy we gave them, got a snapshot of a build from  
a developer's workstation "just to see how the new version would  
look".  Without telling us, the customer proceeded to roll this out at  
hundreds of sites, resulting in years of support grief, since it was  
impossible for us to determine exactly what went into the code they  
were running.

We were later acquired by a much larger company that claimed they  
would "teach us how to do big-league software engineering".  Hah.   
That company was shipping software built on developer workstations as  
a day-to-day practice - they were just beginning to develop mechanisms  
to ensure that the stuff they shipped came through traceable,  
reproducible builds.  Oh ... but their stuff was in Java, so was  
signed  The signing was tightly controlled at a central location.  Cue  
classic joke about using an armored car to deliver an envelope to  
someone living in a cardboard box.
                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list