Re: (ITS#5639) Digital (PGP-)signature for downloadable sources

[michael@stroeder.com]

Kurt Zeilenga wrote:
> For instance, web_ldap says it provides a signature for a digital 
> release, but clicking on the link provides a page which says "Not 
> found".

I knew this (transition during a major OS update on my local machine). 
It's fixed.

> But, as I noted with hashes, the fact that release messages are widely 
> published may make it more likely that such problems will be detected.

Hashes have to be validated out-of-band each time a new release is 
published. The trusted keys be have to be validated out-of-band only 
each time a new trust anchor key is generated.

> For instance, one does need to consider that 
> the host to sign the releases might itself been taken over and the 
> implications of such a takeover.

There is no 100% security. I already know this. But raising security 
level is always an desirable goal.

> Anyways, for this to go anywhere, I think you or others advocating it 
> need to more precisely state which attacks you concerned about, how you 
> think digital signatures will help, and detail requirements on that 
> signing (in particular, requirements on signing key so trust can be 
> established and maintained).

I have no objections against a single release manager using his personal 
key or a dedicated key for OpenLDAP tar.gz signing stored in your local 
file system reasonably protected by a passphrase. As I see it you're the 
only one packaging the tar.gz. So this should not be too difficult for 
you. Well, if you don't want to do that then just leave it...

> Note that these are human-factor attacks, not attacks based upon any 
> weakness in the PGP signing standards or implementations.

I already know that.

Ciao, Michael.