arx-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Arx-users] "Signed" archives


From: Walter Landry
Subject: Re: [Arx-users] "Signed" archives
Date: Fri, 10 Dec 2004 22:34:31 -0500 (EST)

Kevin Smith <address@hidden> wrote:
> On Fri, 2004-12-10 at 08:45 -0500, Walter Landry wrote:
> > If an archive is signed, then ArX will verify signatures for any
> > revision it gets from the archive.  So if an attacker deletes some of
> > the signatures, ArX will complain and fail.
> 
> (snip)
> 
> > It isn't entirely atomic, in that it does one revision at a time.  So
> > someone seeing the archive halfway through would see parts signed, and
> > parts unsigned.
> > 
> > Would that be good enough?
> 
> I'm not as concerned about the atomicity as I am about the (bad) notion
> of a partially-signed archive. My current opinion is that a partially
> signed archive is an invalid archive. If someone were to see the archive
> half-way through the process, their operations should fail the moment
> they encounter an unsigned patch or revision in an archive that claims
> to be signed.

Correct, more or less.  ArX doesn't actually verify every single patch
it downloads.  It only verifies signatures on patches if using replay
or get-patch.  Otherwise, it verifies revisions, which may be
constructed out of unverified patches.  Verifying all patches would
introduce more delays on high latency links.  It also wouldn't improve
security, since the final signature is already verified.

> I think that's the same thing you said in the first paragraph above, but
> a not certain. ArX should make it difficult to end up with a
> partly-signed archive, and should make it moderately easy to convert a
> partly-signed archive into a fully-signed archive (possibly by first
> converting it to an unsigned archive?)

Once the new semantics are implemented, it is one command to sign a
complete archive, plus however many commands required to update the
archive public keys.  I don't think it gets much easier than that.

Walter





reply via email to

[Prev in Thread] Current Thread [Next in Thread]