[1977] in Kerberos_V5_Development
alternatives for signing krb5 1.0
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue Nov 19 14:43:50 1996
Date: Tue, 19 Nov 1996 14:41:03 -0500
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU
At the release meeting yesterday afternoon, I asked if we are going to
sign the krb5 1.0 source and binary distributions with an individual's
key (ie: Ted's) or with a newly-minted MIT Kerberos 5 key. We decided
at the meeting to use Ted's PGP key, without much discussion. I don't
have particularly strong feelings either way, but I have come up with
one potential reason that using a new key is better.
Suppose we create a key named "MIT Kerberos 5 Release 1.0". We have
that public key signed by many well-known people (Ted, jis, whomever),
and use the private key to sign the distribution tar files. We then
*destroy* the private key. The result is that people can use PGP to
verify the distribution, and the signature is at least as well trusted
as Ted's signature, but it is now impossible for the private key used
to form the signature to be stolen because it no longer exists.
Contrast this to the case where we use Ted's key to sign the release;
Ted isn't going to want to create a new key for himself, so he will
not destroy his private key, and it is therefore at some risk of being
stolen. The downside of this approach is that we have to create a new
key for each release, but so what?
Bruce Lewis, on -i watchmaker, proposed another alternative. We
create an MD5 checksum of the distribution, and then have all the
people that would have signed the Kerberos 5 key just sign the MD5
checksum directly. This seems to be more or less cryptographically
equivalent, but I believe it would be somewhat harder to users to
perform (they would have to have pgp to verify the signatures, and an
md5 program to compute the checksum, and they'd have to match the
checksums visually themselves).
Comments?
Barry
