[Psi-devel] OT: CACert included in Kubuntu?

Justin Karneges justin-psi2 at affinix.com
Thu Nov 30 14:45:19 PST 2006 

On Thursday 30 November 2006 1:11 pm, Trejkaz wrote:
> On Friday 01 December 2006 04:56, Justin Karneges wrote:
> > Actually, this practice of secure retrieval should apply to *any*
> > software package you obtain from *anywhere*, not just your operating
> > system.  This is why I'd like to get HTTPS and Code Signing for Psi
> > downloads, so users can ensure they are getting an untainted package.
>
> A fair collection of distros already secure things like this.  I think
> Debian were the first but I could be wrong.  Gentoo recently added the
> feature too. Both use GPG, though.
>
> (Which is good, because with GPG there is a reasonable chance that my key
> will indirectly trust the key used to sign the package -- if it were signed
> with Verisign's key, this becomes a whelk's chance in a supernova.)

At this level in the operating system, a Verisign signature doesn't buy you 
anything.  You have to trust what comes with the OS, and so having a 
signature of a third-party, whose public key is also part of the OS, is 
redundant.

So yeah, GPG is a perfectly fair way to do secure package downloading.  The 
other way would be to use X.509 without the official root CAs.  I would 
recommend either of these approaches in any situation where all parties 
involved are "known", not just for package management.

For example, we might consider bundling a public key inside of Psi, for 
verifying things like updates (or anything the client might auto-download 
from psi-im.org, such as iconsets...   thinking far into the future 
here :) ).  This key would not need a root CA signature, since the security 
domain is closed and specific.  It is only when you need communication with 
unknown entities that the root CA system becomes truly useful.

> It would be nice if there were proof of trust of the root CAs' keys.

There is.  The fact that your browser/OS has them installed.

> For instance, if my bank actually signed their key, I might believe that
> they trust it.  At the current point in time I have to assume that they're
> in the same situation as myself -- skeptical but with little choice but to
> trust it.

The bank certifies Verisign?  I don't get what you're suggesting here.

-Justin

More information about the psi-devel mailing list