Re: CVS commit: src/usr.bin/nbsvtool

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Mon, 14 Jul 2008 22:10:27 +0200 (CEST)
Dieter Baron <dillo%KD119105101110.ppp-bb.dion.ne.jp@localhost> wrote:

> : >   - What is the difference between a key and a certificate.
> 
> : A certificate is used to mean "public key + meta data".
> : To create signatures the matching private key is required.
> 
>   Okay, we should integrate that into the man page somehow.

Perhaps, though that's more or less the definition of a certificate.
(The (crucial) missing piece is that the key and metadata need to be
signed by someone.)
> 
> : >   - What is trusted if no trust anchor is given?
> 
> : Nothing.
> 
>   So is there any way for verify to succeed without a trust anchor?
> Otherwise, -a is required for verify to make sense (and that should be
> noted in the man page, and probably enforced by the code).

No, there's no way to verify anything without a trust anchor.  That's
not quite by definition, but it's pretty close.  (Consider the
following two scenarios.  (a) Your significant other, whom you trust
completely, generates a key pair and associated metadata, gets those
signed, and then signs a statement saying "this piece of attached code
is trustworthy". (b) Your worse enemy, who will stop at nothing to hurt
you, generates a key pair and metadata claiming to be your SO, gets it
signed by another bad guy, and signs a similar statement.  If you can't
believe the trust anchor's certification about who owns that key pair,
the two statements are equivalent.  (The reality is much more complex,
but this is the essence of the trust anchor requirement.)

                --Steve Bellovin, http://www.cs.columbia.edu/~smb