Skip to content

Instantly share code, notes, and snippets.

@dstufft

dstufft/proposal.md Secret

Created February 2, 2013 22:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dstufft/1a3621239951d8ff5842 to your computer and use it in GitHub Desktop.
Save dstufft/1a3621239951d8ff5842 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
proposal.md

Proposal

  1. Create a Document that lists all the valid keys signed by Those Keys
    • This document also includes the required number of keys required to constitute a valid signature (default: 1)
    • Any update to the document requires signatures by the required number of keys from the previous versions.
  2. The user installing a distribution has multiple security options to choose from.
  3. Create an append only log of "transactions" that can be easily mirrored by anyone and can be used in the advent of an attack on the primary repository to verify the authenticity of files.

Reasonably Secure (Default)

  1. The signed document exists on the repository. The first time a distribution for a particular project is installed the installer prompts the user to accept or decline the key. The bulk vast of users will simply hit "Yes" but that's ok (See Insecurities).
  2. If the user already has a distribution document for the project it will check with the repository to see if there have been any updates to this document and verifies that the updates have been properly signed.
  3. Once the user has a trust document that has been properly signed and updated it downloads the distribution and verifies it against the trust document.

Insecurities

  • The first time a user has installed a distribution they are insecure (similarly as to how the first time they connect to an SSH server). This represents a small departure from the Requirements, however once the initial trust has been established this goes away.
  • Remote servers become an issue (Heroku etc). Installers will need to embed signing information in their serialization formats.

Paranoid

Similar to the above system except that does not automatically handle the initial trust document download. Users will be expected to get that on their own and add it into the system.

Future

Depending on the technology in use (GPG keys or other) have an empty database of trust roots that in the future someone could stand up a CA and have an end user decide to delegate their trust to that CA. This ability could further more be used by businesses in order to verify and sign packages that their employees could use.

Append Only Log

Git is essentially append only. While there are methods to rewrite the history that cannot be done without breaking the mirrors and it is obvious.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment