| |||||||||||||
KS2011: Kernel.org reportKS2011: Kernel.org reportPosted Oct 28, 2011 20:24 UTC (Fri) by giraffedata (subscriber, #1954)Parent article: KS2011: Kernel.org report
Central signing will not be happening anymore; developers will need to sign files - with their own keys - before uploading them. The new web of trust will allow those signatures to be verified by others. I don't get this part. Does the web of trust let one verify that the file was signed by a particular individual, or that it was signed by a trustworthy kernel developer? If it's just the former, it seems less valuable than the former automatic kernel.org signature.
(Log in to post comments)
KS2011: Kernel.org report Posted Nov 8, 2011 17:25 UTC (Tue) by wookey (subscriber, #5501) [Link]
Yes the WOT allows you to verify that it was signed by a particular individual (so long as the key they used has been signed by someone else and thus is part of the WOT). This is how Debian has been operating for a very long time (more than 12 years to my knowledge).
kernel.org no longer centrally signs submissions Posted Nov 8, 2011 19:52 UTC (Tue) by giraffedata (subscriber, #1954) [Link] Then am I right that the new system wherein developers sign files with their own keys is less valuable than the old one where they were signed by kernel.org automatically? I'm skeptical, but where am I wrong?With the new system, when I look at a file I know it came from some identifiable individual I don't know anything about. With the old one, I know it came from kernel.org. I know something about kernel.org. I know it's set up (and always has been) to tend not to accept garbage.
kernel.org no longer centrally signs submissions Posted Nov 8, 2011 20:56 UTC (Tue) by raven667 (subscriber, #5198) [Link] With the new system, when I look at a file I know it came from some identifiable individual I don't know anything about. With the old one, I know it came from kernel.org. I know something about kernel.org. I know it's set up (and always has been) to tend not to accept garbage. If I understand correctly you don't have any reason to trust the old style kernel.org signature as it doesn't say anything about where the code came from or whether it is garbage or not since everything was automatically signed. All it told you is that the person who uploaded it had legitimate or illicit access to the kernel.org server, nothing more. You could just assume trust for anything signed, which would be the same security posture as before. It'd be great if there were more easily accessible, clear and accurate documentation on how to do useful signature verification. I just checked the kernel.org signature page and it looked like it hasn't been updated in a decade.
kernel.org no longer centrally signs submissions Posted Nov 8, 2011 21:56 UTC (Tue) by giraffedata (subscriber, #1954) [Link] All it told you is that the person who uploaded it had legitimate or illicit access to the kernel.org server, nothing more. It told me significantly more, because I know between those two possibilities, the legitimate access one is far more likely than the illicit access one. (If I didn't believe that, I never would have run anything I got directly from kernel.org on my computer).
kernel.org no longer centrally signs submissions Posted Nov 8, 2011 23:41 UTC (Tue) by raven667 (subscriber, #5198) [Link]
Then to truncate the point, the only thing you know is that the file passed through the kernel.org server. Now you know both that it came from a kernel developer and which one it came from. More is more than less, right? 8-)
kernel.org no longer centrally signs submissions Posted Nov 9, 2011 0:24 UTC (Wed) by jimparis (subscriber, #38647) [Link]
It seems the argument is that, as far as trust goes, "you downloaded this from kernel.org" is exactly the same assurance as the old "this was signed by kernel.org". That may be true (if SSL was used for the download), but it still seems that no harm would be done by also adding that automatic signature. Then SSL wouldn't be necessary, and you could verify that it passed through kernel.org even if you downloaded it from another site or mirror.
kernel.org no longer centrally signs submissions Posted Nov 9, 2011 2:49 UTC (Wed) by giraffedata (subscriber, #1954) [Link] Thanks; that's exactly what I was thinking. The great advantage of a digital signature is that it gives you a basis for trusting something regardless of how it got to you. If I found a kernel by the side of the road, I'd say, "Hell yes, I'll put that on my server. I can see that kernel.org blessed this particular arrangement of bits at some point." But it would be ridiculous to say, "This looks OK. Somebody signed it." The developer signature appears to serve an entirely different purpose from the kernel.org automatic signature (I suppose it is what tells kernel.org, which does know all the individuals, it's OK to take the code), but the article makes it sound like it is a replacement of -- and improvement on -- it.
kernel.org no longer centrally signs submissions Posted Nov 9, 2011 3:11 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Just to be clear, an automatic signature _only_ tells you that the bits passed through kernel.org. If you download from kernel.org then it tells you exactly nothing. I'm not sure why you mention ssl, it seems that ssl provides a higher level of assurance and what ssl provides is pretty lame.
Auto signing doesn't provide any more verification than an md5sum file which would probably be a better choice. When signatures are used people often assume a higher level of verification than really exists. Usually when releases are signed the private key is not publicly accessible and is on a separate device that only release approvers have access to, an offline workstation or smart card for example. That procedure can be a higher level of assurance that the bits you have are the right ones
|
|||||||||||||