[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Arx-users] "Signed" archives
|
From: |
Walter Landry |
|
Subject: |
Re: [Arx-users] "Signed" archives |
|
Date: |
Fri, 10 Dec 2004 08:45:05 -0500 (EST) |
Kevin Smith <address@hidden> wrote:
> I'm not yet clear on how (if?) an archive could transition from being
> unsigned to being signed.
It is definitely a supported option to go from unsigned to signed (and
back).
> If an archive is signed, then I think that has
> to mean that EVERY patch and revision is signed. Otherwise, an easy
> attack is to delete some of the signatures, and then modify the data
> that is no longer protected.
>
> Without thinking it through all the way, it seems like the restriction
> might be even stronger: that every patch and revision would have to be
> signed by a key that is (still) in the list of public keys for that
> archive. Not sure about that part, though.
If an archive is signed, then ArX will verify signatures for any
revision it gets from the archive. So if an attacker deletes some of
the signatures, ArX will complain and fail.
> So as a result of that first paragraph, it seems to me that there needs
> to be a way to "sign" an entire existing, unsigned archive as an atomic
> transaction. Maybe that's an external utility, rather than a new command
> that would only rarely be used?
I wouldn't be too hard to modify "sig" so that it could recursively
sign branches and sub-branches. For example, in my archive, I have the
branches under arx
arx
2
0
0 .. 51
release
0 .. 0
xdelta
0 .. 3
1
0 .. 145
release
0 .. 1
I could make it so that
arx sig -a address@hidden/arx
would sign everything you see. Similary, to sign the entire archive,
I would issue the command
arx sig -a address@hidden/
It isn't entirely atomic, in that it does one revision at a time. So
someone seeing the archive halfway through would see parts signed, and
parts unsigned.
Would that be good enough?
Walter