[Server-devel] A simple signed bundle/directory trust scheme for the XS
Tom Mitchell
mitch at niftyegg.com
Wed Aug 13 15:47:23 EDT 2008
On Tue, Aug 12, 2008 at 9:29 AM, Jerry Vonau <jvonau at shaw.ca> wrote:
> Martin Langhoff wrote:
>> On Tue, Aug 12, 2008 at 2:24 AM, Michael Stone <michael at laptop.org> wrote:
>>> * What use cases are you trying to support?
>>
>> Insert a usb stick with content that is OK'd by the regional NOC
>> (network operations centre) for execution/installation on the XS.
>
-----
>>> * What security
>>> properties are you trying to check?
>>
>> Signed by the NOC, not changed.
>>
>
> Why not encrypt the partition on the usb-stick? Not too sure what all
> that would involve, just some food for thought.
Caution, strong encryption is not legal in all the world.
Better to just use signed RPMs and perhaps hand verifiable checksums.
Key point: RPMs can be re-signed.
Some of the most in need parts of the world are places where "trust"
is most fragile. I suspect that digital signatures and checksums can
be used to keep all the OLPC processes as reliable, open and
transparent as possible. Encryption implies a deep lack of trust to
me. Signed files permits trust and also verification. Also the
ability to "extract and verify without a secret" the content of any
package might be important in a troubled region.
Summary: RPMs can be re-signed.... this permits local organizations to
pickup, verify, test and if their policy desires re-sign the packages
for local, regional use.
Fragment from the man page:
"Signatures:
rpm {-K | --checksig} [signature-options] PACKAGE_FILE...
rpm {--addsign | --resign} PACKAGE_FILE... "
So "signed by the NOC, and not changed" is possible to do. The
regional NOC may need to manage the secret half of their keys and
distribute the public half of their but that is less of a problem and
more trusting and open than full encryption.
--
T o m M i t c h e l l
mitch-at-niftyegg-dot-com
More information about the Server-devel
mailing list