lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 08 Oct 2011 13:59:48 -0400
From:	Jon Masters <jonathan@...masters.org>
To:	Valdis.Kletnieks@...edu
Cc:	Krzysztof Halasa <khc@...waw.pl>, Adrian Bunk <bunk@...sta.de>,
	"Frank Ch. Eigler" <fche@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Sat, 2011-10-08 at 10:36 -0400, Valdis.Kletnieks@...edu wrote:
> On Sat, 08 Oct 2011 01:02:13 EDT, Jon Masters said:
> 
> > What I'm saying is that unless you sign something (random text, my
> > actual key(s)) in my presence, I can't actually know it was you I was
> > dealing with or someone else claiming to be you (or your identity).
> 
> Now see, this is *exacltly* why security people have to be pedantic about
> stuff.  What you originally asked for was "sign random data to demonstrate
> control of the key", and I pointed out that being able to sign a key was as
> good as being able to sign random data to prove control of the key.

Good point about being pedantic, and the rest of your comments :) I
understand that I'm taking this a little far but I'm just trying to
point out one particular gaping hole in the way these things are
currently done. One reason I stopped doing keysigning parties is that I
realized they were mostly a show. You turn up and get a key signed and
then everyone is impressed that you're in the strong set...wupdedoo. Not
that I've anything against signing stuff on kernel.org and trying to
improve things (I've long directly signed everything on master with my
own keys in slight violation of policy, but that turned out to right).

:)

Jon.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ