[pmwiki-users] Infected Cookbook Recipes?

Christophe David pmwiki at christophedavid.org
Mon Sep 22 11:32:03 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> But in order to sign the files, the public key for the signature
would have to be posted somewhere!

That is the purpose of keyservers like http://pgp.mit.edu .

In order to make sure a public key actually belongs to the "right"
person, public keys can be signed by others to create a "web of
trust". It would be a good idea that active recipe authors sign each
others key.

All that seems a bit complicated when explained, but is in fact nearly
completely hidden by the software extensions/addons that handle the
complexity.

All this is absolutely not new nor specific to PmWiki recipes...  The
techniques and the software are in daily use for many years by
hundreds of thousands of persons for email, file transfer, etc.
Automated software upgrades rely on them too:  GPG is standard on most
Linux distributions and used to validate the software distributed by
the repositories.

>>Perhaps the author's profile page would be a good place to put that,
the author could password protect this page?

Public keys may, by definition, be distributed to anyone.  The only
difficulty is to make sure a public key actually belongs to the
"right" person and is not fake.  Hence the web of trust.
Therefore, the (signed by others) public keys of the recipe authors
could also be posted on pmwiki.org,  and/or on their own site,  and/or
on key servers, etc.

As an example, here is my public key:
https://www.christophedavid.org/w/c/w.php/Main/CDAPubkey

>>  But if we do that, why not simply put the MD5 hashes on the
author's profile page instead?

Because you lack the "web of trust".  If you get a public key and can
validate that several persons you trust have signed it (meaning "I
certify this key belongs to xyz"), then you should feel confident.  If
you just have a hash, you cannot be sure it has not been calculated by
the person who modified the file to insert some nasty code.

Christophe


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI18hiyu9YWMK6LU8RAsZ1AKCEPCIojebCBAWcA6u86x6z5ECGegCfWOUW
On2r0psH/6sYtiD7ailQ260=
=VCXK
-----END PGP SIGNATURE-----



More information about the pmwiki-users mailing list