[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: public keys for cvs use on the mirrors?



And naddy_(_at_)_mips_(_dot_)_inka_(_dot_)_de (Christian Weisgerber) replied:

> Joel Rees <joel_(_at_)_alpsgiken_(_dot_)_gr_(_dot_)_jp> wrote:
> 
> > Do the mirrors all have master lists of each others' public keys or
> > whatever for verification?
> 
> No, they don't.

Okay. Thanks.

(Thought about the distribution problem last night and about the
likelihood of a MITM attack and so forth. 

I guess, if I want to be that paranoid, I should schedule some time to
write a script to handle the distribution and guard-duty. The concept
seems straightforward at first glance: a list of servers that verify
against each other, a server/client pair, random-sort the list before
each pass through, and log/e-mail whenever a fingerprint changes. Also,
log/e-mail when a server in the list mucks a client query or misses a
timeout. That would be a good first approximation, at any rate. 

If I understood ssh, it probably wouldn't take that long to write. So
I'll have to schedule studying ssh first. Cron, too, come to think of it.
Wonder what else I'm missing.)

-- 
Joel Rees <joel_(_at_)_alpsgiken_(_dot_)_gr_(_dot_)_jp>



Visit your host, monkey.org