Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Hubert Feyrer <hubert@feyrer.de>
From: Curt Sampson <cjs@cynic.net>
List: tech-pkg
Date: 07/25/2005 11:34:27
On Sun, 24 Jul 2005, Hubert Feyrer wrote:

> Please let's just sign the whole file.
> It's more failsafe, and not that difficult to implement, see my other 
> posting.

It's a PITA for users. Do we really want to stick users with the baggage
of having to deal with two files, and the attendant risk of mismatching
the two or losing one, if we gain no security benefit from it?

I see three potential reasons to go with two files instead of one:

     1. We have a convincing proof that it defends against attacks that
     including the signature in the archive cannot defend against.

     2. We've researched the subject, and cannot convincingly demonstrate
     that including the signature in the archive is as safe as having a
     detached signature.

     3. We've decided we just don't care, and are going to adopt a
     potentially inferior standard because we're too lazy to do the
     research.

One of these reasons is not a good way to set standards.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA