[lug] X.509 CAs (was: weird su/sudo/...)

Bear Giles bgiles at coyotesong.com
Fri Apr 5 11:55:05 MST 2002 

Changing topics slightly

> We were discussing this at the last NCLUG meeting on Tuesday. Debian
> doesn't have a way of revoking a trusted key from one of their developers.
> Nor does their system offer any way of verifying signed packages. 
> 
> There isn't anything in place to prevent that nightmare scenario.

That's why I've been working on developing some real X.509 CA
functionality, the first step being my PKIX extensions to PostgreSQL,
with a simple JSP cert repository.  That doesn't sound like much, but
the current systems can't scale to more than a few thousand entries
once you get off of their primary search key.

One of my current projects is the creation side - I might open up a 
"fill out this form for a free email digital cert" in the next few weeks... 
especially if I can find hosting.   (If you wish to volunteer, I need
Apache, Tomcat, JDK 1.3 or better, and PostgreSQL. :-)

> >From a philosophical perspective, it's a good thing to grant lots of trust,
> but its also a good thing to be properly suspicious and to have mechanisms
> in place to modify trust levels when needed.

That's been the biggest problem I've seen with OSS PKIX.  Most people
have forgotten that Phil Zimmermann's complaint wasn't against central
authentication, it was against a single mandatory central authority run
by the governmnet alone.  Within an organization, you want that central
authentication - an organization should be able to authoritatively
identify who is a member or not, and what their role is.

So the answer is simple and obvious - the Debian project should run
an official CA that issues developer certs, and part of the download
and installation process would be checking that CA for revocations.
If a private key was compromised it would be trivial to revoke the cert,
issue a new one, and all existing sites would soon have an updated CRL.

Unfortunately, there's still the problem of signed packages.  The
deep issue isn't how to check the developer's signature, it's how to
allow third paries to use the same installation tools since their
keys/certs won't be known to the Debian system.  (With PKIX, you simply
maintain a list of sites you trust to act as CAs for your developers.
Debian would be one by default, but sites could add additional CAs
as they felt necessary.)

Bear

More information about the LUG mailing list