User masquerading - audit trail?

Jeremy Lizakowski jeremy at GreenSpringDesign.com
Sat Jan 17 03:04:16 UTC 2009 

>> I think masquerading can be prevented quite easily, and done securely. 
> Um, er, no it can't.  ... bridge between the meat and the electronic 

I meant that masquerading could be solved by treating the key 
fingerprint as the user's 'unforgeable' identity, not the name provided.

You are right - correlating the key and the human is difficult.  There 
are two aspect of correlating keys with humans:  the question of whether 
the person is truthfully identifying themselves, and whether the key has 
been compromised.

Identification can be done by meeting the person, or by a web of trust 
(with which GPG can assist).  It also may not matter the real name of 
the developer.  Good work can be done under an alias, and that might be 
sufficient to trust that person.

>> the key for the signature is essentially not forgeable. 
> You might want to check out the latest stats on the various forms of 
> data theft (via stolen/lost devices such as laptops, 

Regarding compromised keys, I understand that entire systems can fall 
and keys can be stolen.  If the laptop is stolen, or the user held 
against their will (rubber-hose cryptanalysis), then all forms of 
security can fall.

Anything that compromises their code-signing key could compromise every 
root password they use from that system.  But this does not negate the 
need for root passwords, nor the need for authentication.

Perfectly secure systems don't exist, but we can increase the cost for 
the attacker, and increase the likelihood of detection.

The failure mode I'm concerned with is users providing their credentials 
by setting a string in a file themselves.  Editing a text file is easier 
than stealing a laptop.

> Basically, the belief that you can enlarge your fundamental trust 
> boundary by relying on such signatures without significant risk is a 
> fallacy.  Studying basic epidemiology is, IMHO, a requirement for anyone 
> in the security field. :-)

I'm not saying that all people can be trusted if they have a key.  I'm 
saying that trusted people can be identified if they use keys.

If Linus Torvalds signs code, I trust that he won't lend his identity to 
  an interloper, and that he will take steps to avoid being hacked.  He 
has a reputation to protect, and he's smart.  I'll bet my kernel on it.

For everyone else, I would add the required number of grains of salt.

The idea is to provide a means to identify the code submissions of those 
you trust.  Whether they control their own signature effectively is part 
of measuring that trust.

Theory aside, I just want to know that 3rd party contractors are 
legitimately identifying themselves.  I think this would be interesting 
beyond that, but I'm just looking for a specific solution.

I got pretty close with hooks, but not quite.

Jeremy

More information about the Mercurial mailing list