Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

[Karel Gardas]

On Sun, 7 Dec 2003, Tom Lord wrote:

> There have been several (including some very recent) irc chats about
> adding cryptographic signatures to arch.  My understanding is that
> there might be some people interested in implementing this.  I can do
> this myself but I thought I'd post a plan for it here in case somebody
> wants to jump on it have some fun with it.

Heck, I've thought few hours about it, but w/o any free time now, it's
nearly useless :-(

Anyway some notes are below.

> 2) Add a "signed-archive" property to archives
>
>    Have a look at libarch/archive.c(arch_make_archive) and
>    arch_pfs_make_archive.   Note how the parameter dot_listing_lossage
>    is used.
>
>    Add a similar parameter signed_archive, so that if you create
>    an archive with --signed, =meta-info the in the archive will
>    contain a file "signed-archive" containing the string "system
>    cracking is lame".
>

Is this really needed? I would rather be for some kind of security levels
set in $HOME/.arch-params/=locations. This way different users can handle
the same archive differently, i.e. on get with sig broken either nothing,
or warning, or error migt happen

> 3) Modify arch_pfs_connect to collect a passphrase
>
>    It's a bit icky to keep the passphrase in tla's memory but I think
>    it's more reasonable in this case than the alternatives.
>
>    In libarch/pfs.c(arch_pfs_connect), after connecting, look for
>    the "signed-archive" file.   If present, prompt the user for
>    a passphrase and record it.
>

Please no! That's exactly how it shouldn't be done, since you will need to
increase size of your TCB code, which is not good from security
review point of view.

<sniped other points>

Well, I will probably finally write my own proposal, just to not only
criticize your own. :-)

Cheers,

Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com