Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>
Subject: Re: Secrecy and user trust
From: Ed Greshko <Ed.Greshko@xxxxxxxxxxx>
Date: Mon, 08 Sep 2008 08:22:58 +0800
In-reply-to: <48C46BE9.60802@xxxxxxxxx>
References: <48BD6B95.9030401@xxxxxxx> <544eb990809020927i313cba2bnf449e6737e67728e@xxxxxxxxxxxxxx> <48BD6CE5.3060303@xxxxxxxxx> <544eb990809020951o5270a862n461d2fb4f5c78f27@xxxxxxxxxxxxxx> <48BD7C8E.9050505@xxxxxxx> <20080902135544.4sgel1t94c0sco84-zeznkk@xxxxxxxxxxxxxxxxxxx> <48BDA778.3020002@xxxxxxxxx> <20080902210444.GE3924@xxxxxxxxxxxxxxxxxxxxx> <g9m66m$mae$1@xxxxxxxxxxxxx> <1220467367.10774.12.camel@xxxxxxxxxxxxxxxxxx> <48BF593E.8050105@xxxxxxx> <1220534670.15676.24.camel@xxxxxxxxxxxxxxxxxx> <48BFFAEC.6090600@xxxxxxxxxxx> <1220542196.15676.33.camel@xxxxxxxxxxxxxxxxxx> <48C07722.3080401@xxxxxxxxxxx> <48C13C4F.3040301@xxxxxxx> <48C161C2.2030307@xxxxxxxxxxx> <48C2EB90.9040009@xxxxxxx> <48C38612.30805@xxxxxxxxxxx> <48C4419F.8080307@xxxxxxxxx> <48C45D46.6010201@xxxxxxxxxxx> <48C45EAF.3010003@xxxxxxxxxxx> <48C46BE9.60802@xxxxxxxxx>
Reply-to: "Community assistance, encouragement, and advice for using Fedora." <fedora-list@xxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666

Les Mikesell wrote:
> Ed Greshko wrote:
>> Ed Greshko wrote:
>>> It would be very nice if someone would fully define what they mean by
>>> the very vague term "fake key".
>>>
>
> In this context it would one that a user would install that was not
> the one officially created for the packages in the fedora repository.
In other words, you don't know how to define what a "fake key" is....so
just avoid it and pretend. 
>
>> And along with that, define the method used to distribute said key in a
>> manner that would be oblivious to the all end users.
>
> It doesn't have to fool all the end users, just you.  Or someone with
> content worth stealing, or on a network worth penetrating.
So, the target is "one" system.
>
>> It has to be
>> oblivious to all end users such that nobody would be able to raise an
>> alarm in a reasonable amount of time.
>
> What's a reasonable amount of time?  A victim would notice if/when
> they manage to get an official RPM that the key doesn't match (unless
> their subverted packages remove the check) and might or might not do
> something besides import the correct key.
More "ifs".
>
>> If the public/private key methods employed today are as easy to
>> penetrate and subvert as some seem to be claiming then one has to
>> question why  it hasn't already been done.
>
> It's not easy to fool everyone.  The question is whether there is a
> way to start from scratch so you can't fool anyone.
>
And, it is even less easy to "fool" the people whose networks have
something worth stealing....

Why go through the laughingly improbably scenario of attempting to
subvert the public/private key infrastructure with the potential need
need to simultaneously subvert DNS infrastructure on a single target
when there are already other much more simple attack vectors? 

Oh, and to answer your question...."Is there a way to design a system so
you can't fool anyone?"  Absolutely not.
 

-- 
Do YOU have redeeming social value?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Follow-Ups:
- Re: Secrecy and user trust
  - From: Les Mikesell

References:
- Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: Bill Crawford
- Re: Secrecy and user trust
  - From: Les Mikesell
- Re: Secrecy and user trust
  - From: Bill Crawford
- Re: Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: John Aldrich
- Re: Secrecy and user trust
  - From: Travis Arnold
- Re: Secrecy and user trust
  - From: Anders Karlsson
- Re: Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: Patrick O'Callaghan
- Re: Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: Patrick O'Callaghan
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Patrick O'Callaghan
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Bill Davidsen
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Les Mikesell
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Ed Greshko
- Re: Secrecy and user trust
  - From: Les Mikesell

Prev by Date: Re: Secrecy and user trust
Next by Date: Re: Secrecy and user trust
Previous by thread: Re: Secrecy and user trust
Next by thread: Re: Secrecy and user trust
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]

Powered by Linux