Kurt Zeilenga wrote:
For instance, web_ldap says it provides a signature for a digital release, but clicking on the link provides a page which says "Not found".
I knew this (transition during a major OS update on my local machine). It's fixed.
But, as I noted with hashes, the fact that release messages are widely published may make it more likely that such problems will be detected.
Hashes have to be validated out-of-band each time a new release is published. The trusted keys be have to be validated out-of-band only each time a new trust anchor key is generated.
For instance, one does need to consider that the host to sign the releases might itself been taken over and the implications of such a takeover.
There is no 100% security. I already know this. But raising security level is always an desirable goal.
Anyways, for this to go anywhere, I think you or others advocating it need to more precisely state which attacks you concerned about, how you think digital signatures will help, and detail requirements on that signing (in particular, requirements on signing key so trust can be established and maintained).
I have no objections against a single release manager using his personal key or a dedicated key for OpenLDAP tar.gz signing stored in your local file system reasonably protected by a passphrase. As I see it you're the only one packaging the tar.gz. So this should not be too difficult for you. Well, if you don't want to do that then just leave it...
Note that these are human-factor attacks, not attacks based upon any weakness in the PGP signing standards or implementations.
I already know that.
Ciao, Michael.