Skip to content

Instantly share code, notes, and snippets.

@havenwood

havenwood/rubygems-trust.md

Last active December 12, 2015 02:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save havenwood/4703413 to your computer and use it in GitHub Desktop.
Save havenwood/4703413 to your computer and use it in GitHub Desktop.
Download ZIP
X.509 Trust Requirements Rough List
Raw
rubygems-trust.md

X.509 Trust Requirements

Highest Priority

Prevent MITM Attack

Problems

  • DNS Hijacking
  • DNS Spoofing
  • SSL Stripping

Solution

  • Encourage X.509 use with -P HighSecurity default
  • Integrate RubyGems cert creation process with CA(s) such that maintainers cert is offered to be signed by CA(s)

Revoke Certificates

Problems

  • Gem maintainer goes rogue
  • Gem maintainer loses or publicly discloses cert
  • Cert stolen

Solution

  • CA(s) revoke cert
  • RubyGems checks revocation list

Medium Priority

Allow Multiple Maintainers

Problems

  • Multipe maintainers pushing same gem

Solution

Low Priority

Verify Email Addresses of Maintainers

Problems

  • Do you at least have control of the email address you claim is yours?

Solution

Out of Scope

  • Verify real names of gem maintainers
  • Verify that gem contents are safe and non-malicious
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment