[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI B
|
From: |
Derek R. Price |
|
Subject: |
Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD/OS) |
|
Date: |
Mon, 08 May 2006 21:44:55 -0400 |
|
User-agent: |
Thunderbird 1.5.0.2 (Windows/20060308) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark D. Baushke wrote:
>>> I'm not so sure. In at least one sense, signatures never have
> security
>>> flaws, only verifications.
>
> Actually, this is not necessarily true in the general case. If the
> hash algorithm is compromised, it is possible that an entire class
> of signatures could have security flaws from a trust point of view.
>
Well, yes. I may have phrased that badly, but what I was trying to
get at is that a sufficiently up-to-date client should recognize the
compromised hash and report the signature as invalid, regardless of
whether it was once valid.
> It is also true that signing a delta with a compromised key that
> has been revoked on the server could also be a flaw.
One that would also be detected with a client with an up-to-date key
chain.
> I believe you will find that the version text is explicitly outside
> of the text that gets hashed for signature validation.
Maybe - I can't recall off the top of my head, but if the data were
incorrect then the client wouldn't be able to interpret the hashes
correctly and it would be found to be an invalid signature once again.
>>> I'd feel fairly secure changing the default to `warn' instead
>>> of `fatal', however this should never be auto-negotiated with
>>> the server because a compromised server could then just tell
>>> the client it
> didn't
>>> support signatures and the user might never notice
>>> verify-on-checkout had been disabled.
>>>
>>> Signing is auto-negotiated by default. The CVS client will not
>>>
> attempt
>>> to sign commits if the server does not report support for
>>> signatures.
>
> Okay, I guess I can live with it...
You can live with it or you think I am right? :) I'm thinking it
wouldn't be so bad to switch the default to "warn". I doubt you will
be the only person to complain about this. Of course, how much flak
will we get when a lack-of-server-signature-support warning scrolls
off the top of the screen during a big checkout and some compromised
code sneaks through. I'm not sure we can win with this one. :(
Regards,
Derek
- --
Derek R. Price
CVS Solutions Architect
Get CVS support at Ximbiot <http://ximbiot.com>!
v: +1 248.835.1260
f: +1 248.835.1263
<mailto:address@hidden>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEX/QXLD1OTBfyMaQRAh7cAJwPoqR9XQWQNMyxlpuFF89HoA0KNACdE+en
h5OTppJmrzZQ4XlRzzVPqsg=
=lDpP
-----END PGP SIGNATURE-----
Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD/OS), Mark D. Baushke, 2006/05/08