WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] request to sign software

from [Keir Fraser] [Permanent Link][Original]
To: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>, Jeremy Fitzhardinge <jeremy@xxxxxxxx>
Subject: Re: [Xen-devel] request to sign software
From: Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Date: Tue, 30 Mar 2010 08:00:10 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Stephen Spector <stephen.spector@xxxxxxxxxx>
Delivery-date: Tue, 30 Mar 2010 00:01:18 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4BB11706.5020301@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcrPhAj3pHkabGiZSpaOn4CPZvsECAAUpolv
Thread-topic: [Xen-devel] request to sign software
User-agent: Microsoft-Entourage/12.24.0.100205 
On 29/03/2010 22:09, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx>
wrote:

> ...and then publish it on xen.org and sent to xen-devel. The list is
> mirrored in a few places, so it would not be trivial for the attacker to
> subvert the public key in all the public archives. Users can always use
> more than one different internet connections to verify the key, to get
> around potential compromise at an ISP level.
> 
> This could be your "master key" and then you could simply sign other
> keys (e.g. Jermey's, Keir's, etc) with this master key (simple gpg -s,
> no certs, no web of trust, needed).

I chatted with Ian Jackson about this, and our thought was to generate a
xen.org master key which we would keep safe in Cambridge: only he and I
would have copies of it (the two of us, for redundancy). We can also
generate a software-signing key, signed by the master key, which we actually
use for the business of signing releases from the xen-*.hg and
qemu-xen-*.git repositories.

We weren't sure it makes sense for Jeremy to sign anything since he's not
actually making releases out of his repository. If we decide that Jeremy
should sign things I think it best he makes his own key and we sign it with
the master key.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [PATCH] x86: Small Fix for cmci threashold set value, Ke, Liping
Next by Date:  Re: [Xen-devel] Xen CPU limit?, Jan Beulich
Previous by Thread:  Re: [Xen-devel] request to sign software, Joanna Rutkowska
Next by Thread:  Re: [Xen-devel] request to sign software, Joanna Rutkowska
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy