lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 21 Jan 2024 10:58:32 -0500
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Theodore Ts'o <tytso@....edu>, Linus Torvalds
	 <torvalds@...ux-foundation.org>, G@....edu
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-scsi
	 <linux-scsi@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] final round of SCSI updates for the 6.7+ merge window

On Sun, 2024-01-21 at 01:30 -0500, Theodore Ts'o wrote:
> Unlike James, I've tried to use DANE, since about the only thing that
                    ^
                  never?

> has as disastrous a user experience as gpg is DNSSEC.  :-) I just
> manually upload keys to the kernel and Debian keyrings, and it's been
> working out, apparently without much pain for either me or to those
> who rely on my keys --- at least, no one as complained to me so
> far....

Well the theory is sound: if the DNS is secure and trustworthy, getting
the gpg key from the same domain as the email records proves the tie
between the uid and the key (obviating the need for all this keysigning
and web of trust).  Making DNS substitute for all these stupid external
CAs for web certificates as well (via DANE export of the X509 public
key) is also a good idea, as is exporting the ssh host keys and things.

However, having maintained DNSSEC for almost a decade now, I'm not
going to pretend it's something a non-expert sysadmin should be trying:
it's very particular and problems are hard to debug; you really have to
be in the top tier of expert sysadmins to be successful with it. 
However, once it is running, bind9 now takes much of the pain out of
rolling the domain keys and, if you run a dynamic domain (one that can
be updated with nsupdate), you can actually give all your users scoped
permission to update their own key records, so if you have an expert
sysadmin on the domain, they can make DANE usable for all the non
experts.

I think the gpg usability problem is that I can't mark my key as being
DANE available in the key itself, so gpg would just automatically check
the DNS for an update and throw a warning if there was a DNS problem
(but still use the cached key).  The failure is the users having to
figure out that my key is DANE available and then what combinatoric
explosion of gpg options they actually need to update it.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ