On 2011/6/12 Kerrick Staley <mail@kerrickstaley.com> wrote:
On Fri, Jun 10, 2011 at 5:45 PM, Dan McGee <dpmcgee@gmail.com> wrote:
I've done a fair amount of research on what we might be able to do with this during the afternoon here. Some observations below. This is mainly addressing point four in Thomas' prior email (http://mailman.archlinux.org/mailman/private/arch-dev/2011-May/014193.html). Could you please explain what the situation is? I do not have access to the arch-dev archives. In particular, what do you mean by "location A" and "location B"?
You want developers to be able to sign databases without copying them to their local machines, correct? I vote for (4), then. (1) provides complete security against an attacker with access to the main server, but it may be hassling. (2), (3), and (4) ultimately don't provide any security against an attacker with access to the main server (at least until the attack is discovered), but with (2) and (3) keys will need to be revoked after an attack (the developer's and the server's, respectively), whereas with (4) nothing will have to be done (except secure the server). Also, an attack against (4) would probably be harder to mount for the attacker and easier to notice for the developers.
I personally vote for signing the hash, but not for having two sorts of signatures. Isn't there any way to split GnuPG's code into the hashing part and the encryption part? Rémy.