Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ed Greshko wrote:
Bill Davidsen wrote:
Ed Greshko wrote:
Patrick O'Callaghan wrote:
The hypothetical scenario being discussed is that you have already
replaced the former (good but now possibly suspect) public key with a
spurious new one. If that were to happen, you would be in danger of
accepting trojanned packages signed with this new fake key. My point is
that you would also *reject* packages signed with the new good key, and
this would be noticed very quickly (basically the next time you did an
update).
That is an extremely unlikely possibility as you have to generate a key
with the same key id (fingerprint)as the original.  Also, you have to
determine how to trick all users in to replacing the original.
All users? This is like spam email, you only need to succeed in a few
cases to get benefit. And distributing the fingerprint assumes you can
do that securely as well.

I think you have no concept of public/private encryption or signing.

My concept is that if I can fool you into accepting a false public key, I can sign packages with the matching false private key, and when you install the first such package it may (probably will) include evil things of some nature.

Do you disagree? Or feel that if I can get you to run one evil package I can't put in a root kit, or rend personal information from your systems, or otherwise attack your system?

If you feel that line of attack is not possible do tell me how your concept of encryption and signing prevents it.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux