|
From: | Daniel Carrera |
Subject: | Re: [Monotone-devel] Monotone Security |
Date: | Thu, 16 Oct 2008 19:02:48 +0200 |
User-agent: | Thunderbird 2.0.0.17 (Macintosh/20080914) |
Jack Lloyd wrote:
That could easily happen due to a time change, though:
Yeah, and a malicious attacker could make the bad revisions children of a very old revision. So checking that dates are sequential is useless.
Monotone already has a way to deal with the DOS attack that Peter found (10 million encumbered revisions) but it requires a custom script. Maybe it'd be easier to just ship Monotone with a Lua script that removes the bad key. It's not used by default, but if/when Peter's DOS attack happens, the developers can run the script:
function recovery_from_compromised_keys(key) { foreach (head) { if (head is signed with bad key) { 1. find the first ancestor revision of that head that is signed by a good key. 2. delete every descendant of that revision. } } } Daniel.
[Prev in Thread] | Current Thread | [Next in Thread] |