[ Reply to This | Parent | # ]

• Yeah, I hinted at that in the first line - Authored by: Anonymous on Thursday, July 05 2012 @ 07:40 PM EDT

[ Reply to This | Parent | # ]

Ideally, every code creator and every distribution would have their own signing key(s). These would change much less frequently than the code itself. Once you have a key from RedHat and you know that key is valid then you can be sure the code you are getting from RedHat is the code they signed. RedHat, in turn, can be sure it is getting source code signed by the creators.

Once a system like this is in place then infecting a server with malicious versions of code has a much lower chance of infecting downstream systems. The only systems that would be vulnerable would be those that are downloading code and at the same time downloading the public key for the first time. Everyone else will have a cached copy of the public key that does not match the signed code. They can immediately raise the alarm saying the code has been compromised. Even worse for the potential attacker, everyone else can still download the public key and raise the alarm when it does not match the copy of the public key they have stored locally.

I don't see where a central authority would add value to this model except possibly for first time users. But that role is much better served by a web of trust where everyone is vouching for each other. A central authority is a single point of failure and thus an obvious target for attack. A web of trust is more difficult to compromise because attackers would need to gain control of a bunch of systems nearly simultaneously. Even then, if people downstream are caching and verifying public keys, a coordinated attack would be recognized almost instantly.

---
Our job is to remind ourselves that there are more contexts
than the one we’re in now — the one that we think is reality.
-- Alan Kay

[ Reply to This | Parent | # ]

• You're missing the point. - Authored by: darkonc on Saturday, July 07 2012 @ 04:43 PM EDT