[Psi-devel] OT: CACert included in Kubuntu?
Justin Karneges
justin-psi2 at affinix.com
Thu Nov 30 09:56:55 PST 2006
On Thursday 30 November 2006 4:12 am, Trejkaz wrote:
> On Wednesday 29 November 2006 10:15, Maciek Niedzielski wrote:
> > Justin Karneges wrote:
> > >> Best security practice is removing all certificates and use only some
> > >> of them.
> > >
> > > And unfortunately a usability nightmare. :(
> >
> > I'd like to see VeriSign helpdesk's face when someone (normal user!)
> > called them to ask for the fingerprint ;)
>
> But there is a damn good point here. How do we know if the key for
> "Verisign" on my machine right now was actually made by them?
You have to trust that your distribution obtains its files from reliable
sources. This is always true, and for any package they provide. If you
can't trust your own operating system, then this entire discussion is
meaningless.
Next, you need a secure way of obtaining the distribution/OS. With Windows,
you buy it in a box or it comes in your computer. Downloading an unencrypted
Linux ISO over HTTP is not something I'd consider secure. However, there are
a number of things you can do to verify the integrity of your files (not that
anyone does these things). If you can get Mark Shuttleworth to personally
hand you an Ubuntu CD-ROM, even better.
Actually, this practice of secure retrieval should apply to *any* software
package you obtain from *anywhere*, not just your operating system. This is
why I'd like to get HTTPS and Code Signing for Psi downloads, so users can
ensure they are getting an untainted package.
> And do I
> even trust a corporation in the first place? (Didn't they make an enormous
> screw-up a while back?)
They did make a screw-up. However, the fact is that we still trust them to do
their job more than we trust anyone else to do it. The same goes for
software authors that provide packages to us with security holes.
Your bank trusts Verisign. In that context, you should too. On one hand, you
have an authority system where business, bank, and government interactions
take place effortlessly. On the other hand, you could have your own personal
system where you independently verify every public key you encounter. The
latter is as secure as you make it to be. The former may not be as secure,
because of all the trust in third-parties, but it is the one the world has
chosen, and within it we are all equally vulnerable (just like credit cards,
or passports). Both realms have their place.
-Justin
More information about the psi-devel
mailing list