Re: Secrecy and user trust

Les Mikesell wrote:
Ed Greshko wrote:
Ed Greshko wrote:
It would be very nice if someone would fully define what they mean by
the very vague term "fake key".


In this context it would one that a user would install that was not
the one officially created for the packages in the fedora repository.
In other words, you don't know how to define what a "fake key" is....so
just avoid it and pretend.

And along with that, define the method used to distribute said key in a
manner that would be oblivious to the all end users.

It doesn't have to fool all the end users, just you. Or someone with
content worth stealing, or on a network worth penetrating.
So, the target is "one" system.

It has to be
oblivious to all end users such that nobody would be able to raise an
alarm in a reasonable amount of time.

What's a reasonable amount of time? A victim would notice if/when
they manage to get an official RPM that the key doesn't match (unless
their subverted packages remove the check) and might or might not do
something besides import the correct key.
More "ifs".

If the public/private key methods employed today are as easy to
penetrate and subvert as some seem to be claiming then one has to
question why it hasn't already been done.

It's not easy to fool everyone. The question is whether there is a
way to start from scratch so you can't fool anyone.

And, it is even less easy to "fool" the people whose networks have
something worth stealing....

Why go through the laughingly improbably scenario of attempting to
subvert the public/private key infrastructure with the potential need
need to simultaneously subvert DNS infrastructure on a single target
when there are already other much more simple attack vectors?

Oh, and to answer your question...."Is there a way to design a system so
you can't fool anyone?" Absolutely not.


--
Do YOU have redeeming social value?

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: Secrecy and user trust
    ... way to start from scratch so you can't fool anyone. ... something worth stealing.... ... subvert the public/private key infrastructure with the potential need ...
    (Fedora)
  • Re: Secrecy and user trust
    ... way to start from scratch so you can't fool anyone. ... something worth stealing.... ... subvert the public/private key infrastructure with the potential need ... need to simultaneously subvert DNS infrastructure on a single target ...
    (Fedora)
  • Re: Where is RH tonight
    ... >> worth. ... >>> Oh shut up you tart! ... > Hitler look a fool! ...
    (uk.sport.cricket)
  • Re: I need help explaining basic linguistic concepts to a lay person
    ... And I don't think of myself as a fool. ... regard for her own discerning abilities, or how she thinks she can judge ... one's not a good judge of one's self. ... it's just not worth it. ...
    (sci.lang)
  • Re: Yad you are now out of my killfile
    ... solar penguin as King Henry V: Though all that I can do is nothing worth, Since that my penitence comes after all, Imploring Pardon. ... >_pretending_ to be a fool for the past 11 years or more? ...
    (rec.arts.drwho)