On Fri, Jan 07, 2005 at 12:09:52PM +0100, Ralf Ertzinger wrote:
Florin Andrei <florin@xxxxxxxxxxxxxxx> wrote:
One thing that i noticed the newbies get confused with is the "rpm -- import (blah)GPG-KEY" trick that has to be done after installing a new system.
I'm sure there is a good reason why the keys are not imported by the installer by default, would someone be so kind to tell me why?
Security. It's generally a good idea to validate that the key you're adding to the keyring is really the one that you think it is, and if this keyring addition were done automatically, then someone could switch out the keys, thus a malicious key would be automatically added to the keyring. Things start to go downhill from that point.
- jkt
If someone has enough access to insert their own public key into the pre-install image, they also have enough access to modify rpm to do their evil bidding, with our without keys. The install image *must be trusted* if anything can be trusted at all. Let me say that again, because it's critically important. If you can't trust the install image, all other bets about security are off. Your box has been r00ted-- reformat, reinstall; there are no other options.
Furthermore, for the average user, it's actually *less* secure to have them import the key manually, because:
* There's an added opportunity for a malicious user to add their own key in place of the "real" one between when the OS is installed and when the key is imported. The number of users who actually *do* check key fingerprints is so absurdly small that it might as well be zero. It may look more secure on paper, but in practice (where security really matters) it's worse.
* Many users simply disable key checking to avoid the hassle of importing the keys manually. This isn't a "some user might" sort of hypothesis--I've witnessed it myself on multiple occasions. It *does* happen.
If web browsers forced the user to import all the root CA certs right after install, web security would be a joke. There would be no real guarantee of trust. You simply can't rely on the end user to set up his local security infrastructure correctly. Sure, you could tell grandma to be careful and verify all the certificate fingerprints before importing them, but how likely is that going to be? The average end user doesn't care about security until it all hits the fan. Our job is to keep that from happening, despite their best efforts to thwart us.
If security is your reason for requiring this extra step, then quit it. It isn't helping. If keys in the keyring upon system install can't be trusted, then nothing at all about the system can be trusted.
