On Wed, 2003-02-05 at 18:53, Curt Sampson wrote:
> On Thu, 5 Feb 2003, Greg Copeland wrote:
>
> > > > > > Who will actually hold the key? Where will it be physically kept?
> > > >
> > > > Good question but can usually be addressed.
> > >
> > > It can be addressed, but how well? This is another big
Well said. I'm glad someone else is willing to take a stab at
addressing these issues, since I've been down with the flu. Thanks
Greg.
As both Gregs have pointed out, hashes and checksums alone should only
be used as an integrity check. It is not a viable security mechanism.
A hash does not p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> So you put the MD5 sum into the release announcement email. That is
> downloaded by many people and also archived in many distributed places
> that we don't control, so it would be very hard to tamper with.
> ISTM that this gives you the same re
Curt Sampson writes:
> MD5, or any other unsigned check, makes sense from a security point of
> view only if it is stored independently from the thing you are checking.
So you put the MD5 sum into the release announcement email. That is
downloaded by many people and also archived in many distrib
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To answer some of my earlier questions, here is one specific way of doing it:
Tom Lane creates a PostgreSQL key, signing only, DSA, 1024 bits, that expires
in 3 years. It ends up looking something like this:
pub 1024D/0BB10D1D 2003-02-07 PostgreS
On Tue, 2003-02-04 at 18:27, Curt Sampson wrote:
> On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> > On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> > >
> > > Even improperly used, digital signatures should never be worse than
> > > simple checksums. Having said that, anyone tha
On Thu, 5 Feb 2003, Greg Copeland wrote:
> > > > > Who will actually hold the key? Where will it be physically kept?
> > >
> > > Good question but can usually be addressed.
> >
> > It can be addressed, but how well? This is another big issue that I
> > don't see any plan for that I'm comfortable w
On Tue, Feb 04, 2003 at 06:19:42PM -0600, Greg Copeland wrote:
>
> I do agree that a checksum (or hash) is better than nothing, however, a
> serious security solution it is not.
Which really is all I'm saying.
Kurt
---(end of broadcast)---
TIP 6
On Wed, 2003-02-05 at 00:22, Curt Sampson wrote:
> On Wed, 4 Feb 2003, Greg Copeland wrote:
>
> > If three people are required to sign a package prior to release,
> > what happens when one of them is unavailable for signing (vacation,
> > hospital, etc). This is one of the reasons why having a sin
On Wed, Feb 05, 2003 at 15:22:12 +0900,
Curt Sampson <[EMAIL PROTECTED]> wrote:
> On Wed, 4 Feb 2003, Greg Copeland wrote:
>
> Hm. Splitting the key into parts is a very interesting idea, but I'd
> be interested to know how you might implement it without requiring
> everybody to be physically pr
On Wed, 4 Feb 2003, Greg Copeland wrote:
> If three people are required to sign a package prior to release,
> what happens when one of them is unavailable for signing (vacation,
> hospital, etc). This is one of the reasons why having a single project
> key which the core developers sign may appear
On Tue, Feb 04, 2003 at 23:13:47 +0100,
Kurt Roeckx <[EMAIL PROTECTED]> wrote:
>
> So a figerprint and all the hash/digest function have no purpose
> at all?
The purpose of both is to reduce the amount of material in a way that
makes it hard to generate some other material that would result in
- Original Message -
From: "Kurt Roeckx" <[EMAIL PROTECTED]>
>
> Should I point out that a "fingerprint" is nothing more than a
> hash?
>
If somebody shows you their passport to prove who they are and then gives
you a fingerprint of their PGP key, they have implicitly signed that
fingerpr
On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> >
> > Even improperly used, digital signatures should never be worse than
> > simple checksums. Having said that, anyone that is trusting checksums
> > as a form of authenticity valid
On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> >
> > Even improperly used, digital signatures should never be worse than
> > simple checksums. Having said that, anyone that is trusting checksums
> > as a form of authenticity vali
On Tue, 4 Feb 2003, Kurt Roeckx wrote:
> > There really isn't any comparison here.
>
> I didn't say you could compare the security offered by both of
> them. All I said was that md5 also makes sense from a security
> point of view.
MD5, or any other unsigned check, makes sense from a security po
On Tue, 4 Feb 2003, Kurt Roeckx wrote:
> I know how it works, it's just very unlikely I'll ever meet
> someone so it gives me a good chain.
One postgresql conference is all it takes.
> Anyway, I think pgp is good thing to do, just don't assume that
> it's always better then just md5.
I think it
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
>
> Even improperly used, digital signatures should never be worse than
> simple checksums. Having said that, anyone that is trusting checksums
> as a form of authenticity validation is begging for trouble.
Should I point out that a
On Tue, 2003-02-04 at 12:02, Rod Taylor wrote:
> On Tue, 2003-02-04 at 12:55, Kurt Roeckx wrote:
> > On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
> > > On Mon, 3 Feb 2003, Kurt Roeckx wrote:
> > >
> > > > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > > > tr
Comments intermixed below.
On Tue, 2003-02-04 at 12:04, Steve Crawford wrote:
> Having just started working with GPG I shouldn't be considered an expert but
> it seems to me that each core developer should create a key and should
> cross-sign each others' keys to form a web of trust to verify th
Having just started working with GPG I shouldn't be considered an expert but
it seems to me that each core developer should create a key and should
cross-sign each others' keys to form a web of trust to verify the
authenticity of those signatures. In any case, I think that if
security-related p
On Tue, 2003-02-04 at 12:55, Kurt Roeckx wrote:
> On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
> > On Mon, 3 Feb 2003, Kurt Roeckx wrote:
> >
> > > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > > trust those pgp keys to be the real one either.
> >
> > Sure
On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
> On Mon, 3 Feb 2003, Kurt Roeckx wrote:
>
> > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > trust those pgp keys to be the real one either.
>
> Sure you can. Just verify that they've been signed by someone you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
There are generally two ways to do it: have a "project" key, or have
each developer use their own key. The advantage of the first way is
that each release is signed by the same key, which is clearly
associated with the project. The disadvantage is
On Mon, Feb 03, 2003 at 22:55:12 -0600,
Greg Copeland <[EMAIL PROTECTED]> wrote:
>
> I'll say this again. Checksums alone offers zero security protection.
> It was never intended to address that purpose. As such, it does not
> address it. If you need security, use a security product. Checks
On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
> 2. Do I trust him to take care of his own key and be careful signing
> other keys?
>
> 3. Do I trust his opinion that the postgres release-signing key that
> he signed is indeed valid?
>
> 4. Do I trust the holder of the postg
On Tue, 3 Feb 2003, Greg Copeland wrote:
> Surely there are a couple of key developers whom would be willing to
> sign each other's keys and have previously met before. Surely this
> would be the basis for phone validation. Then, of course, there is 'ol
> snail-mail route too. Of course, nothin
On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
> On Mon, 3 Feb 2003, Kurt Roeckx wrote:
>
> > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > trust those pgp keys to be the real one either.
>
> Sure you can. Just verify that they've been signed by someone you trust.
>
> F
On Mon, 2003-02-03 at 13:55, Kurt Roeckx wrote:
> On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
> > On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
> >
> > > right, that is why we started to provide md5 checksums ...
> >
> > md5 checksums only validate that the intended pack
On Mon, 3 Feb 2003, Kurt Roeckx wrote:
> I'm not saying md5 is as secure as pgp, not at all, but you can't
> trust those pgp keys to be the real one either.
Sure you can. Just verify that they've been signed by someone you trust.
For example, next time I happen to run into Bruce Momjian, I hope
On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
> On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
>
> > right, that is why we started to provide md5 checksums ...
>
> md5 checksums only validate that the intended package (trojaned or
> legit) has been properly received. They
On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
> right, that is why we started to provide md5 checksums ...
md5 checksums only validate that the intended package (trojaned or
legit) has been properly received. They offer nothing from a security
perspective unless the checksums have been si
> (3) Sign official releases using the PGDG private key, and provide the
> signatures on www.postgresql.org along with the packages themselves.
Sounds about right. I'd go as far as to sign release announcements and
security emails as well.
--
Rod Taylor <[EMAIL PROTECTED]>
PGP Key: http://www.r
On Sun, 2003-02-02 at 21:23, Marc G. Fournier wrote:
> well, if you want to tell me the steps, I'll consider it ...
I certainly wouldn't consider myself to be an expert in PGP, but my
understanding of the basic steps is:
(1) Generate a public/private key pair for the PGDG team. This should be
use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> I think we should PGP sign all the "official" packages that are
> provided for download from the various mirror sites.
Doesn't anyone around here read pgsql-general? :) I've been arguing for
this over there since June of last year. I've also bee
"Marc G. Fournier" <[EMAIL PROTECTED]> writes:
> On Sun, 2 Feb 2003, Neil Conway wrote:
>> - ensuring that end users can trust PostgreSQL is an important part to
>> getting the product used in mission-critical applications, as I'm sure
>> you all know. Part of that is producing good software; anoth
On Sunday 02 February 2003 21:23, Marc G. Fournier wrote:
> On Sun, 2 Feb 2003, Neil Conway wrote:
> > I think we should PGP sign all the "official" packages that are provided
> > for download from the various mirror sites. IMHO, this is important
> > because:
> right, that is why we started to pr
On Sun, 2 Feb 2003, Neil Conway wrote:
> Folks,
>
> I think we should PGP sign all the "official" packages that are provided
> for download from the various mirror sites. IMHO, this is important
> because:
>
> - ensuring that end users can trust PostgreSQL is an important part to
> getting the pro
On Sun, 2003-02-02 at 18:39, Neil Conway wrote:
> Folks,
>
> I think we should PGP sign all the "official" packages that are provided
> for download from the various mirror sites. IMHO, this is important
> because:
>
> - ensuring that end users can trust PostgreSQL is an important part to
> getti
Neil Conway <[EMAIL PROTECTED]> writes:
> I think we should PGP sign all the "official" packages that are provided
> for download from the various mirror sites.
This is probably a good idea.
> I'd volunteer to do the work myself, except that it's pretty closely
> intertwined with the release proc
Folks,
I think we should PGP sign all the "official" packages that are provided
for download from the various mirror sites. IMHO, this is important
because:
- ensuring that end users can trust PostgreSQL is an important part to
getting the product used in mission-critical applications, as I'm sur
41 matches
Mail list logo
