On Mon, Feb 22, 2016 at 6:35 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > Well, I agree the instructions could do better, but how would that help > if the site was compromised? The attackers would write their own > instructions. > > In addition to the verify link, the https://getfedora.org/en/keys/faq/ > needs a good going over. New users are stateless and little can be done there; at least not right now when pre-textual security procedures' like Fedora's are ubiquitous and thus can't be taken as a clear sign of compromise. Existing users are another matter; "Hey, wasn't the last fedora key signed by the fedora-keys-key that I already have?? Something smells fishy here". Doubly so if fedora included a fedora-downloader that users use to get new images which automatically checked these things. > Pointing people to the sks keyservers to download the key would be nice I don't think there is any utility in pointing people to a keyserver here. > and asking them to check the signatures for a web of trust link would > be great, but I am not sure how many people would care to do that or > have any links there. It's useful if that even worked for the few who would do it-- so that in untargeted replacement they could sound alarms. But I wasn't even suggesting something so broad as WOT: I'm only suggesting that Fedora should commit to signing every release key with a long lived, offline stored, key-- or, alternatively, with prior releases release keys. So that people who somehow managed to get a faithful fedora keyring at some point aren't exposed to compromise over and over again in the future. > If the site is compromised how would any of that help? The compromised site could not sign their replacement keys-- they'd have to just alter or drop the procedure that provides actual security, and this disruption would catch the attention of some users. (and better, if an automated mechanism is provided and gains wide usage.) > This is already done somewhat... the fedora-repos package has all the > keys in it from the time it was last updated. That's good. The last I had seen it didn't include key for future releases. If they're there now the instructions could simply tell the user to skip the key download if they're already on an updated fedora install. The limitation there is that this need to have virtually no false positives, and so the lack of updates to that package as versions go EOL would still be problematic. "Oh, it didn't work. I guess I'll blindly pull the keys from the site" would undo the security. > So, if you have a fedora > install you can check the key in fedora-repos. However, that still > doesn't get around the fact that the anchor of trust here is the ca > certificate system, or I suppose, best case it would be a web of trust > link back to the gpg key, but the web of trust is not that expansive > and random users who don't care about gpg likely wouldn't have any > links into the Fedora web of trust. "Trust anchor" is too narrow a concept-- If the user has to only successfully get the real keys once and then will be protected after if they're successful, that is win in and of itself. It also means that more effort can be rationally expended on those few times initialization (e.g. trying the WOT method, checking multiple sources, etc.). -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
